You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47)
11
10
-[should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74)
12
11
-[should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91)
13
12
-[should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112)
@@ -173,8 +172,6 @@ Do not try to edit it manually.
-[should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31)
422
419
-[should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37)
@@ -560,46 +556,6 @@ To configure settings globally for all Ingress rules, the `limit-rate-after` and
560
556
561
557
The client IP address will be set based on the use of [PROXY protocol](./configmap.md#use-proxy-protocol) or from the `X-Forwarded-For` header value when [use-forwarded-headers](./configmap.md#use-forwarded-headers) is enabled.
562
558
563
-
### Global Rate Limiting
564
-
565
-
**Note:** Be careful when configuring both (Local) Rate Limiting and Global Rate Limiting at the same time.
566
-
They are two completely different rate limiting implementations. Whichever limit exceeds first will reject the
567
-
requests. It might be a good idea to configure both of them to ease load on Global Rate Limiting backend
568
-
in cases of spike in traffic.
569
-
570
-
The stock NGINX rate limiting does not share its counters among different NGINX instances.
571
-
Given that most ingress-nginx deployments are elastic and number of replicas can change any day
572
-
it is impossible to configure a proper rate limit using stock NGINX functionalities.
573
-
Global Rate Limiting overcome this by using [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle). `lua-resty-global-throttle` shares its counters via a central store such as `memcached`.
574
-
The obvious shortcoming of this is users have to deploy and operate a `memcached` instance
575
-
in order to benefit from this functionality. Configure the `memcached`
576
-
using [these configmap settings](./configmap.md#global-rate-limit).
577
-
578
-
**Here are a few remarks for ingress-nginx integration of `lua-resty-global-throttle`:**
579
-
580
-
1. We minimize `memcached` access by caching exceeding limit decisions. The expiry of
581
-
cache entry is the desired delay `lua-resty-global-throttle` calculates for us.
582
-
The Lua Shared Dictionary used for that is `global_throttle_cache`. Currently its size defaults to 10M.
583
-
Customize it as per your needs using [lua-shared-dicts](./configmap.md#lua-shared-dicts).
584
-
When we fail to cache the exceeding limit decision then we log an NGINX error. You can monitor
585
-
for that error to decide if you need to bump the cache size. Without cache the cost of processing a
586
-
request is two memcached commands: `GET`, and `INCR`. With the cache it is only `INCR`.
587
-
1. Log NGINX variable `$global_rate_limit_exceeding`'s value to have some visibility into
588
-
what portion of requests are rejected (value `y`), whether they are rejected using cached decision (value `c`),
589
-
or if they are not rejected (default value `n`). You can use [log-format-upstream](./configmap.md#log-format-upstream)
590
-
to include that in access logs.
591
-
1. In case of an error it will log the error message and **fail open**.
592
-
1. The annotations below creates Global Rate Limiting instance per ingress.
593
-
That means if there are multiple paths configured under the same ingress,
594
-
the Global Rate Limiting will count requests to all the paths under the same counter.
595
-
Extract a path out into its own ingress if you need to isolate a certain path.
596
-
597
-
598
-
* `nginx.ingress.kubernetes.io/global-rate-limit`: Configures maximum allowed number of requests per window. Required.
599
-
* `nginx.ingress.kubernetes.io/global-rate-limit-window`: Configures a time window (i.e `1m`) that the limit is applied. Required.
600
-
* `nginx.ingress.kubernetes.io/global-rate-limit-key`: Configures a key for counting the samples. Defaults to `$remote_addr`. You can also combine multiple NGINX variables here, like `${remote_addr}-${http_x_api_client}` which would mean the limit will be applied to requests coming from the same API client (indicated by `X-API-Client` HTTP request header) with the same source IP address.
601
-
* `nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`: comma separated list of IPs and CIDRs to match client IP against. When there's a match request is not considered for rate limiting.
602
-
603
559
### Permanent Redirect
604
560
605
561
This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. For example `nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com` would redirect everything to Google.
*`global-rate-limit-status-code`: configure HTTP status code to return when rejecting requests. Defaults to 429.
1355
-
1356
-
Configure `memcached` client for [Global Rate Limiting](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#global-rate-limiting).
1357
-
1358
-
*`global-rate-limit-memcached-host`: IP/FQDN of memcached server to use. Required to enable Global Rate Limiting.
1359
-
*`global-rate-limit-memcached-port`: port of memcached server to use. Defaults default memcached port of `11211`.
1360
-
*`global-rate-limit-memcached-connect-timeout`: configure timeout for connect, send and receive operations. Unit is millisecond. Defaults to 50ms.
1361
-
*`global-rate-limit-memcached-max-idle-timeout`: configure timeout for cleaning idle connections. Unit is millisecond. Defaults to 50ms.
1362
-
*`global-rate-limit-memcached-pool-size`: configure number of max connections to keep alive. Make sure your `memcached` server can handle
1363
-
`global-rate-limit-memcached-pool-size * worker-processes * <number of ingress-nginx replicas>` simultaneous connections.
1364
-
1365
-
These settings get used by [lua-resty-global-throttle](https://github.com/ElvinEfendi/lua-resty-global-throttle)
1366
-
that ingress-nginx includes. Refer to the link to learn more about `lua-resty-global-throttle`.
1367
-
1368
1346
## service-upstream
1369
1347
1370
1348
Set if the service's Cluster IP and port should be used instead of a list of all endpoints. This can be overwritten by an annotation on an Ingress rule.
0 commit comments