On Tue, Sep 1, 2015 at 10:42 PM, Platonides <platonides(a)gmail.com> wrote:
Brad Jorsch (Anomie) wrote:
I wonder if it got lost in the move from Squid to
Varnish, or something
along those lines.
That's likely, given that it was enforced by squid.
We could easily add it back in Varnish, too, but I tend to agree with
Brion's points that it's not ultimately helpful.
I really do like the idea of moving towards smarter ratelimiting of
APIs by default, though (and have brought this up in several contexts
recently, but I'm not really aware of whatever past work we've done in
that direction). From that relatively-ignorant perspective, I tend to
envision an architecture where the front edge ratelimits API requests
(or even possibly, all requests, but we'd probably have to exclude a
lot of common spiders...) via a simple token-bucket-filter if they're
anonymous, but lets them run free if they superficially appear to have
a legitimate cookie or API access token. Then it's up to the app
layer to enforce limits for the seemingly-identifiable traffic and be
configurable to raise them for legitimate remote clients we've had
contact with, and to reject legitimate-looking tokens/logins that the
edge choses not to ratelimit which aren't actually legitimate.
-- Brandon