wireapp · jschaul · Jul 18, 2022 · Jul 14, 2022 · Jul 14, 2022 · Jul 14, 2022
@@ -0,0 +1,7 @@
+Minor fixes in helmcharts:
+- charts/nginz: Rate limit SSO endpoints less
+- charts/nginz: Ensure rate limiting isn't commented out
+- charts/galley: Honour .setttings.httpPoolSize
+- charts/galley: Fix typo in settings.featureFlags.validateSAMLEmails
+- charts/gundeck: Remove aws.connectionLimit
+- charts/brig: Fix default brandLabelUrl and remove brandLabel
@@ -38,8 +38,7 @@ config:
       templateBranding:
         brand: Wire
         brandUrl: https://wire.com
-        brandLabel: wire.com
-        brandLabelUrl: https://wire.com
+        brandLabelUrl: wire.com
         brandLogoUrl: https://wire.com/p/img/email/logo-email-black.png
         brandService: Wire Service Provider
         copyright: © WIRE SWISS GmbH

@@ -142,8 +142,8 @@ http {
   # Rate Limiting
   #
 
-  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate=10r/s;
-  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate=5r/m;
+  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_user }};
+  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_addr }};
 
 {{- range $limit := .Values.nginx_conf.user_rate_limit_request_zones }}
   {{ $limit }}

@@ -33,6 +33,8 @@ nginx_conf:
   worker_rlimit_nofile: 131072
   worker_connections: 65536
   disabled_paths: []
+  rate_limit_reqs_per_user: "10r/s"
+  rate_limit_reqs_per_addr: "5r/m"
   user_rate_limit_request_zones: []
 
   tls:

@@ -48,7 +48,7 @@ data:
     {{- end }}
 
     settings:
-      httpPoolSize: 128
+      httpPoolSize: {{ .settings.httpPoolSize }}
       intraListing: false
       maxTeamSize: {{ .settings.maxTeamSize }}
       maxConvSize: {{ .settings.maxConvSize }}
@@ -79,9 +79,9 @@ data:
         searchVisibilityInbound:
           {{- toYaml .settings.featureFlags.searchVisibilityInbound | nindent 10 }}
         {{- end }}
-        {{- if .settings.featureFlags.validateSAMLemails }}
-        validateSAMLemails:
-          {{- toYaml .settings.featureFlags.validateSAMLemails | nindent 10 }}
+        {{- if .settings.featureFlags.validateSAMLEmails }}
+        validateSAMLEmails:
+          {{- toYaml .settings.featureFlags.validateSAMLEmails | nindent 10 }}
         {{- end }}
         {{- if .settings.featureFlags.appLock }}
         appLock:

@@ -24,6 +24,7 @@ config:
     replicaCount: 3
   enableFederator: false # keep enableFederator default in sync with brig and cargohold chart's config.enableFederator as well as wire-server chart's tag.federator
   settings:
+    httpPoolSize: 128
     maxTeamSize: 10000
     maxConvSize: 500
     # Before making indexedBillingTeamMember true while upgrading, please

@@ -43,7 +43,6 @@ data:
       arnEnv: {{ .arnEnv }}
       sqsEndpoint: {{ .sqsEndpoint | quote }}
       snsEndpoint: {{ .snsEndpoint | quote }}
-      connectionLimit: 256
     {{- end }}
 
     settings:

@@ -142,8 +142,8 @@ http {
   # Rate Limiting
   #
 
-  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate=10r/s;
-  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate=5r/m;
+  limit_req_zone $rate_limited_by_zuser zone=reqs_per_user:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_user }};
+  limit_req_zone $rate_limited_by_addr zone=reqs_per_addr:12m rate={{ .Values.nginx_conf.rate_limit_reqs_per_addr }};
 
 {{- range $limit := .Values.nginx_conf.user_rate_limit_request_zones }}
   {{ $limit }}
@@ -246,25 +246,26 @@ http {
             {{- if ($location.basic_auth) }}
         auth_basic "Restricted";
         auth_basic_user_file {{ $.Values.nginx_conf.basic_auth_file }};
-            {{- end -}}
+            {{- end }}
 
             {{- if ($location.disable_zauth) }}
         zauth off;
 
         # If zauth is off, limit by remote address if not part of limit exemptions
               {{- if ($location.unlimited_requests_endpoint) }}
         # Note that this endpoint has no rate limit
-              {{- else -}}
-        limit_req zone=reqs_per_addr burst=5 nodelay;
+              {{- else }}
+                {{- if not (hasKey $location "specific_user_rate_limit") }}
+        limit_req zone=reqs_per_addr burst=10 nodelay;
         limit_conn conns_per_addr 20;
-              {{- end -}}
-            {{- else }}
-
-              {{- if hasKey $location "specific_user_rate_limit" }}
-        limit_req zone={{ $location.specific_user_rate_limit }} nodelay;
+                {{- end }}
               {{- end }}
             {{- end }}
 
+            {{- if hasKey $location "specific_user_rate_limit" }}
+        limit_req zone={{ $location.specific_user_rate_limit }}{{ if hasKey $location "specific_user_rate_limit_burst" }} burst={{ $location.specific_user_rate_limit_burst }}{{ end }} nodelay;
+            {{- end }}
+
         if ($request_method = 'OPTIONS') {
             add_header 'Access-Control-Allow-Methods' "GET, POST, PUT, DELETE, OPTIONS";
             add_header 'Access-Control-Allow-Headers' "$http_access_control_request_headers, DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";

@@ -56,11 +56,15 @@ nginx_conf:
   - /search/top
   - /search/common
 
+  rate_limit_reqs_per_user: "10r/s"
+  rate_limit_reqs_per_addr: "5r/m"
+
   # This value must be a list of strings. Each string is copied verbatim into
   # the nginx.conf after the default 'limit_req_zone' directives. This should be
   # used to create request zones which can then be specified in
   # 'upstreams.<upstream>.<n>.specific_user_rate_limit'.
   user_rate_limit_request_zones:
+    - limit_req_zone $rate_limited_by_addr zone=reqs_per_addr_sso:12m rate=50r/s;
     - limit_req_zone $rate_limited_by_zuser zone=reqs_per_user_signatures:12m rate=10r/m;
 
   # The origins from which we allow CORS requests. These are combined with
@@ -502,20 +506,28 @@ nginx_conf:
       - all
       disable_zauth: true
       allow_credentials: true
+      specific_user_rate_limit: reqs_per_addr_sso
+      specific_user_rate_limit_burst: "10"
     - path: /sso/finalize-login
       envs:
       - all
       disable_zauth: true
       allow_credentials: true
+      specific_user_rate_limit: reqs_per_addr_sso
+      specific_user_rate_limit_burst: "10"
     - path: /sso
       envs:
       - all
       disable_zauth: true
+      specific_user_rate_limit: reqs_per_addr_sso
+      specific_user_rate_limit_burst: "10"
     - path: /scim/v2
       envs:
       - all
       disable_zauth: true
       allow_credentials: true
+      specific_user_rate_limit: reqs_per_addr_sso
+      specific_user_rate_limit_burst: "10"
     - path: /scim
       envs:
       - all

@@ -205,6 +205,8 @@ nginz:
     # NOTE: Web apps are disabled by default
     allowlisted_origins: []
     randomport_allowlisted_origins: [] # default is empty by intention
+    rate_limit_reqs_per_user: "10r/s"
+    rate_limit_reqs_per_addr: "100r/s"
   secrets:
     basicAuth: "whatever"
     zAuth: