2ec6709eee
This patch adds rate limiting for any API call which results in a 4xx response by applying a common stick-table to each HAProxy backend definition. The stick table can be overridden to allow customisation of the behaviour. An additional stick-table is defined for the Horizon endpoint to enforce a 20-requests-per-10s-per-source-ip sliding window limit on the horizon /auth path. This provides some protection against credential stuffing attacks and will generate 429 response codes to the client and in the HAProxy log. The log could be used by an alerting system to detect potentially malicious traffic. The defined rate limit does not include traffic from rfc1918 addresses and this should be reviewed and overridden as necessary to protect the external API endpoint. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/848657 Change-Id: I02ed08f9d3d12f7ad2e5dd3a45a699d766933877 |
||
|---|---|---|
| .. | ||
| env.d | ||
| group_vars | ||
| host_vars/localhost | ||
| dynamic_inventory.py | ||
| inventory.ini | ||
| localhost | ||