Skip to content

Add rate limiter to our most exposed and costly endpoints #2252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Urgau merged 1 commit into from
Jan 14, 2026
Merged

Add rate limiter to our most exposed and costly endpoints #2252

Urgau merged 1 commit into from
Jan 14, 2026

Conversation

@Urgau
Copy link
Member

@Urgau Urgau commented Jan 13, 2026

This PR adds rate limiter to our most exposed and costly endpoints.

I used the tower-governor crate with a burst size of 3 requests per IP and a replenishment of one element every 15 seconds.

I don't know if those parameters are good, but we can adjust them later if we find out that they are too light or too tight.

Those limits are NOT applied to the /github-hook and /zulip-hook endpoints.

Related to #2251 (comment)
cc @Mark-Simulacrum

@Urgau Urgau requested a review from Kobzol January 13, 2026 22:22
@Urgau Urgau mentioned this pull request Jan 13, 2026
Merged
Kobzol
Kobzol reviewed Jan 14, 2026
View reviewed changes
Copy link
Member

@Kobzol Kobzol left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Also unsure of the numbers, I think that we could go higher, but let's see how this works. Can we avoid using the governor on localhost though? It would get annoying for developing triagebot :) Maybe by not applying it if debug_assertions is set, or hide it behind a CLI parameter? Or filtering out requests from localhost? (although not sure if the requests on the deployment through Docker aren't also from localhost, we'd have to test that I guess).

View changes since this review

apiraino
apiraino reviewed Jan 14, 2026
View reviewed changes
src/main.rs Outdated
Comment on lines 111 to 112
.per_second(15)
.burst_size(3)
Copy link
Contributor

@apiraino apiraino Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who (or what) hits these /gha-logs/* endpoints? Do we have stats about their usage?

3 req/s with 15s cooldown look a bit restrictive - but it really depends on the answer to the above questions.

Copy link
Member Author

@Urgau Urgau Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The /gha-logs endpoint is the (plain enhanced) link when CI fails1.

It's used to display the raw-enhanced logs from GitHub Actions. It can take ~3/4s to fetch and display our logs.

I'm not expecting anyone to try open 4 of those links in <15s. So I think a 15s cool down is good enough.

Footnotes

  1. https://github.com/rust-lang/rust/pull/151123#issuecomment-3750603675

@Urgau
Copy link
Member Author

Urgau commented Jan 14, 2026

Can we avoid using the governor on localhost though?

I also wanted to exclude localhost, but in my typical workflow I pretty much always rebuild and thus restart triagebot, resetting those limit.

I can add an environment variable (like we do for other things) to relax those restrictions.

@Kobzol
Copy link
Member

Kobzol commented Jan 14, 2026

Ok, fair enough for the rebuild, it still seems a bit annoying and unexpected if someone would work on it locally though. Maybe just disabling it in debug mode would do the trick, to avoid complicating things?

@Urgau
Copy link
Member Author

Urgau commented Jan 14, 2026
edited
Loading

Disabling it when debug_assertions is set seems kind-of dangerous to me.

I prefer to follow our existing convention of using an environment variables, so I added DISABLE_RATE_LIMIT with a warning on usage.

Kobzol
Kobzol approved these changes Jan 14, 2026
View reviewed changes
Copy link
Member

@Kobzol Kobzol left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair enough, gating it on compilation options could likely be confusing, you're right.

View changes since this review

@Urgau Urgau added this pull request to the merge queue Jan 14, 2026
Merged via the queue into rust-lang:master with commit 4241479 Jan 14, 2026
3 checks passed
@Urgau Urgau deleted the ratelimit branch January 14, 2026 20:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apiraino apiraino apiraino left review comments

@Kobzol Kobzol Kobzol approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Urgau @Kobzol @apiraino