Merge pull request #88 from alphagov/add-rate-limiting

Enable edge rate limiting
alphagov · Jul 12, 2024 · e31e140 · e31e140
2 parents 6cdeb93 + 153e0c4
commit e31e140
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/modules/assets/main.tf b/modules/assets/main.tf
@@ -94,6 +94,24 @@ resource "fastly_service_vcl" "service" {
     }
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in lookup(var.secrets, "splunk", []) : splunk.name => splunk

diff --git a/modules/bouncer/main.tf b/modules/bouncer/main.tf
@@ -32,6 +32,24 @@ resource "fastly_service_vcl" "service" {
     })
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_s3" {
     for_each = {
       for s3 in lookup(var.secrets, "s3", []) : s3.name => s3

diff --git a/modules/datagovuk/main.tf b/modules/datagovuk/main.tf
@@ -111,6 +111,24 @@ resource "fastly_service_vcl" "service" {
     force_ssl = true
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in lookup(var.secrets, "splunk", []) : splunk.name => splunk

diff --git a/modules/www/main.tf b/modules/www/main.tf
@@ -109,6 +109,24 @@ resource "fastly_service_vcl" "service" {
     }
   }
 
+  rate_limiter {
+    name = "rate_limiter"
+
+    rps_limit            = 500
+    window_size          = 10
+    penalty_box_duration = 5
+
+    client_key   = "req.http.Fastly-Client-IP"
+    http_methods = "GET,PUT,TRACE,POST,HEAD,DELETE,PATCH,OPTIONS"
+
+    action = "response"
+    response {
+      content      = "Too many requests"
+      content_type = "plain/text"
+      status       = 429
+    }
+  }
+
   dynamic "logging_splunk" {
     for_each = {
       for splunk in try(var.secrets["splunk"], []) : splunk.name => splunk