From 140acfcc5f368d0e4341961076955592e0aafec0 Mon Sep 17 00:00:00 2001 From: Karmanyaah Malhotra Date: Thu, 24 Nov 2022 14:12:43 -0500 Subject: [PATCH] Exempt Matrix server from ntfy rate limit (#2135) * Exempt Matrix server from ntfy rate limit Add the matrix fqdn and localhost to ntfy's exemption list. Also allow all ntfy rate limits to be configured through Ansible variables. * Fix names and formatting * fixes * tabs not spaces * Lint * Use raw tags instead of bracket soup --- roles/custom/matrix-ntfy/defaults/main.yml | 8 ++++++++ roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 | 7 +++++++ .../matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 | 5 +++-- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-ntfy/defaults/main.yml b/roles/custom/matrix-ntfy/defaults/main.yml index 66d9a19c6..981eba362 100644 --- a/roles/custom/matrix-ntfy/defaults/main.yml +++ b/roles/custom/matrix-ntfy/defaults/main.yml @@ -14,6 +14,14 @@ matrix_ntfy_docker_image_force_pull: "{{ matrix_ntfy_docker_image.endswith(':lat # Public facing base URL of the ntfy service matrix_ntfy_base_url: "https://{{ matrix_server_fqn_ntfy }}" +# Rate limits + +matrix_ntfy_global_topic_limit: 15000 # default +matrix_ntfy_visitor_subscription_limit: 30 # default +matrix_ntfy_visitor_request_limit_burst: 60 # default +matrix_ntfy_visitor_request_limit_replenish: "5s" # default + + # Controls whether the container exposes its HTTP port (tcp/80 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:2586"), or empty string to not expose. diff --git a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 index 096991a70..9815fd6b4 100644 --- a/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 +++ b/roles/custom/matrix-ntfy/templates/ntfy/server.yml.j2 @@ -2,3 +2,10 @@ base_url: {{ matrix_ntfy_base_url }} behind_proxy: true cache_file: /data/cache.db listen-http: :8080 + +# Rate Limits +global-topic-limit: {{ matrix_ntfy_global_topic_limit | to_json }} +visitor-subscription-limit: {{ matrix_ntfy_visitor_subscription_limit | to_json }} + +visitor-request-limit-burst: {{ matrix_ntfy_visitor_request_limit_burst | to_json }} +visitor-request-limit-replenish: "{{ matrix_ntfy_visitor_request_limit_replenish }}" diff --git a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 index a10cb5844..5c2feac01 100644 --- a/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 +++ b/roles/custom/matrix-ntfy/templates/systemd/matrix-ntfy.service.j2 @@ -11,11 +11,12 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true' -ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ +ExecStart={{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-ntfy \ --log-driver=none \ --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ --cap-drop=ALL \ --read-only \ + --env NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS={{matrix_server_fqn_matrix}},localhost,$(docker network inspect {{matrix_docker_network}} -f "{% raw %}{{ (index .IPAM.Config 0).Subnet }}{% endraw %}") \ {% for arg in matrix_ntfy_container_extra_arguments %} {{ arg }} \ {% endfor %} @@ -26,7 +27,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name --mount type=bind,src={{ matrix_ntfy_config_dir_path }},dst=/etc/ntfy,ro \ --mount type=bind,src={{ matrix_ntfy_data_path }},dst=/data \ {{ matrix_ntfy_docker_image }} \ - serve + serve' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-ntfy 2>/dev/null || true' ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-ntfy 2>/dev/null || true'