wireapp · smatting · Mar 5, 2024 · Mar 4, 2024 · Mar 4, 2024 · Mar 4, 2024
diff --git a/changelog.d/2-features/claim-key-packages-rate-limit b/changelog.d/2-features/claim-key-packages-rate-limit
@@ -0,0 +1 @@
+charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user
diff --git a/changelog.d/2-features/one2one-rate-limit b/changelog.d/2-features/one2one-rate-limit
@@ -0,0 +1 @@
+charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user
diff --git a/charts/nginz/templates/conf/_nginx.conf.tpl b/charts/nginz/templates/conf/_nginx.conf.tpl
@@ -125,6 +125,11 @@ http {
       0 "";
   }
 
+  map $rate_limit $rate_limited_by_zuser_path {
+      1 "$zauth_user$uri";
+      0 "";
+  }
+
   map $http_origin $cors_header {
       default "";
     {{ range $origin := .Values.nginx_conf.allowlisted_origins }}

diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
@@ -67,6 +67,8 @@ nginx_conf:
   user_rate_limit_request_zones:
     - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s;
     - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;
+    - limit_req_zone $rate_limited_by_zuser_path zone=key_package_claims:12m rate=100r/m;
+    - limit_req_zone $rate_limited_by_zuser zone=one2one_conv:12m rate=3000r/m;
 
   # The origins from which we allow CORS requests. These are combined with
   # 'external_env_domain' and 'additional_external_env_domains' to form a full
@@ -209,6 +211,11 @@ nginx_conf:
     - path: /clients
       envs:
       - all
+    - path: /mls/key-packages/claim
+      envs:
+      - all
+      specific_user_rate_limit: key_package_claims
+      specific_user_rate_limit_burst: 100
     - path: /mls/key-packages
       envs:
       - all
@@ -440,6 +447,15 @@ nginx_conf:
       - all
       max_body_size: 40m
       body_buffer_size: 256k
+    - path: /conversations/one2one/
+      envs:
+      - all
+      # During MLS migration, this endpoint gets called _a lot_.
+      specific_user_rate_limit: one2one_conv
+      specific_user_rate_limit_burst: 1000
+      # The name is a little misleading, this just disables default rate
+      # limiting in favour of the specific one defined above.
+      unlimited_requests_endpoint: true
     - path: /conversations/([^/]*)/([^/]*)/protocol
       envs:
       - all
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		charts/nginz: Rate limiting claiming MLS key-pacakges by requesting and target user
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		charts/nginz: Allow 3000 reqs/min on /conversations/one2one/:user_domain/:user