Add new limits.

letsencrypt · Dec 15, 2023 · 70590e2 · 70590e2
1 parent 15a7def
commit 70590e2
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 57 deletions.
diff --git a/test/config-next/wfe2-ratelimit-defaults.yml b/test/config-next/wfe2-ratelimit-defaults.yml
@@ -1,2 +1,24 @@
-NewRegistrationsPerIPAddress: { burst: 10000, count: 10000, period: 168h }
-NewRegistrationsPerIPv6Range: { burst: 99999, count: 99999, period: 168h }
+CertificatesPerDomain:
+  count: 2
+  burst: 2
+  period: 2160h
+NewRegistrationsPerIPAddress:
+  count: 10000
+  burst: 10000
+  period: 168h
+NewRegistrationsPerIPv6Range:
+  count: 99999
+  burst: 99999
+  period: 168h
+FailedAuthorizationsPerAccount:
+  count: 3
+  burst: 3
+  period: 5m
+NewOrdersPerAccount:
+  count: 1500
+  burst: 1500
+  period: 3h
+CertificatesPerFQDNSet:
+  count: 6
+  burst: 6
+  period: 168h
diff --git a/test/config-next/wfe2-ratelimit-overrides.yml b/test/config-next/wfe2-ratelimit-overrides.yml
@@ -2,4 +2,39 @@
     burst: 1000000
     count: 1000000
     period: 168h
-    ids: [127.0.0.1]
+    ids:
+      - 127.0.0.1
+- CertificatesPerDomain:
+    burst: 1
+    count: 1
+    period: 2160h
+    ids:
+      - ratelimit.me
+- CertificatesPerDomain:
+    burst: 10000
+    count: 10000
+    period: 2160h
+    ids:
+      - le.wtf
+      - le1.wtf
+      - le2.wtf
+      - le3.wtf
+      - nginx.wtf
+      - good-caa-reserved.com
+      - bad-caa-reserved.com
+      - ecdsa.le.wtf
+      - must-staple.le.wtf
+- CertificatesPerFQDNSet:
+    burst: 10000
+    count: 10000
+    period: 168h
+    ids:
+      - le.wtf
+      - le1.wtf
+      - le2.wtf
+      - le3.wtf
+      - le.wtf,le1.wtf
+      - good-caa-reserved.com
+      - nginx.wtf
+      - ecdsa.le.wtf
+      - must-staple.le.wtf
diff --git a/test/rate-limit-policies-b.yml b/test/rate-limit-policies-b.yml
diff --git a/test/v2_integration.py b/test/v2_integration.py
@@ -1565,6 +1565,11 @@ def test_renewal_exemption():
     chisel2.expect_problem("urn:ietf:params:acme:error:rateLimited",
         lambda: chisel2.auth_and_issue(["mail." + base_domain]))
 
+# TODO(#5545)
+#   - Phase 2: Once the new rate limits are authoritative in config-next, ensure
+#     that this test only runs in config.
+#   - Phase 3: Once the new rate limits are authoritative in config, remove this
+#     test entirely.
 def test_certificates_per_name():
     chisel2.expect_problem("urn:ietf:params:acme:error:rateLimited",
         lambda: chisel2.auth_and_issue([random_domain() + ".lim.it"]))