From 70590e27eebd4b49b6359daf7b316b87fc328ad1 Mon Sep 17 00:00:00 2001 From: Samantha Date: Fri, 15 Dec 2023 14:31:02 -0500 Subject: [PATCH] Add new limits. --- test/config-next/wfe2-ratelimit-defaults.yml | 26 ++++++++- test/config-next/wfe2-ratelimit-overrides.yml | 37 ++++++++++++- test/rate-limit-policies-b.yml | 54 ------------------- test/v2_integration.py | 5 ++ 4 files changed, 65 insertions(+), 57 deletions(-) delete mode 100644 test/rate-limit-policies-b.yml diff --git a/test/config-next/wfe2-ratelimit-defaults.yml b/test/config-next/wfe2-ratelimit-defaults.yml index 70551e9d9df9..cb840daa6ec7 100644 --- a/test/config-next/wfe2-ratelimit-defaults.yml +++ b/test/config-next/wfe2-ratelimit-defaults.yml @@ -1,2 +1,24 @@ -NewRegistrationsPerIPAddress: { burst: 10000, count: 10000, period: 168h } -NewRegistrationsPerIPv6Range: { burst: 99999, count: 99999, period: 168h } +CertificatesPerDomain: + count: 2 + burst: 2 + period: 2160h +NewRegistrationsPerIPAddress: + count: 10000 + burst: 10000 + period: 168h +NewRegistrationsPerIPv6Range: + count: 99999 + burst: 99999 + period: 168h +FailedAuthorizationsPerAccount: + count: 3 + burst: 3 + period: 5m +NewOrdersPerAccount: + count: 1500 + burst: 1500 + period: 3h +CertificatesPerFQDNSet: + count: 6 + burst: 6 + period: 168h diff --git a/test/config-next/wfe2-ratelimit-overrides.yml b/test/config-next/wfe2-ratelimit-overrides.yml index 9d80ffaf4642..4f45ba82667b 100644 --- a/test/config-next/wfe2-ratelimit-overrides.yml +++ b/test/config-next/wfe2-ratelimit-overrides.yml @@ -2,4 +2,39 @@ burst: 1000000 count: 1000000 period: 168h - ids: [127.0.0.1] + ids: + - 127.0.0.1 +- CertificatesPerDomain: + burst: 1 + count: 1 + period: 2160h + ids: + - ratelimit.me +- CertificatesPerDomain: + burst: 10000 + count: 10000 + period: 2160h + ids: + - le.wtf + - le1.wtf + - le2.wtf + - le3.wtf + - nginx.wtf + - good-caa-reserved.com + - bad-caa-reserved.com + - ecdsa.le.wtf + - must-staple.le.wtf +- CertificatesPerFQDNSet: + burst: 10000 + count: 10000 + period: 168h + ids: + - le.wtf + - le1.wtf + - le2.wtf + - le3.wtf + - le.wtf,le1.wtf + - good-caa-reserved.com + - nginx.wtf + - ecdsa.le.wtf + - must-staple.le.wtf diff --git a/test/rate-limit-policies-b.yml b/test/rate-limit-policies-b.yml deleted file mode 100644 index 2582c3a6ec25..000000000000 --- a/test/rate-limit-policies-b.yml +++ /dev/null @@ -1,54 +0,0 @@ -# See cmd/shell.go for definitions of these rate limits. -certificatesPerName: - window: 2160h - threshold: 99 - overrides: - ratelimit.me: 1 - lim.it: 0 - # Hostnames used by the letsencrypt client integration test. - le.wtf: 9999 - le1.wtf: 9999 - le2.wtf: 9999 - le3.wtf: 9999 - le4.wtf: 9999 - nginx.wtf: 9999 - good-caa-reserved.com: 9999 - bad-caa-reserved.com: 9999 - ecdsa.le.wtf: 9999 - must-staple.le.wtf: 9999 - registrationOverrides: - 101: 1000 -registrationsPerIP: - window: 168h # 1 week - threshold: 9999 - overrides: - 127.0.0.1: 999990 -registrationsPerIPRange: - window: 168h # 1 week - threshold: 99999 - overrides: - 127.0.0.1: 1000000 -pendingAuthorizationsPerAccount: - window: 168h # 1 week, should match pending authorization lifetime. - threshold: 999 -newOrdersPerAccount: - window: 3h - threshold: 9999 -certificatesPerFQDNSet: - window: 168h - threshold: 99999 - overrides: - le.wtf: 9999 - le1.wtf: 9999 - le2.wtf: 9999 - le3.wtf: 9999 - le.wtf,le1.wtf: 9999 - good-caa-reserved.com: 9999 - nginx.wtf: 9999 - ecdsa.le.wtf: 9999 - must-staple.le.wtf: 9999 -certificatesPerFQDNSetFast: - window: 2h - threshold: 20 - overrides: - le.wtf: 9 diff --git a/test/v2_integration.py b/test/v2_integration.py index 6b3843bf9c77..824464f84322 100644 --- a/test/v2_integration.py +++ b/test/v2_integration.py @@ -1565,6 +1565,11 @@ def test_renewal_exemption(): chisel2.expect_problem("urn:ietf:params:acme:error:rateLimited", lambda: chisel2.auth_and_issue(["mail." + base_domain])) +# TODO(#5545) +# - Phase 2: Once the new rate limits are authoritative in config-next, ensure +# that this test only runs in config. +# - Phase 3: Once the new rate limits are authoritative in config, remove this +# test entirely. def test_certificates_per_name(): chisel2.expect_problem("urn:ietf:params:acme:error:rateLimited", lambda: chisel2.auth_and_issue([random_domain() + ".lim.it"]))