Skip to main content

Rate limit

This page describes how the rate limiting can be set up for the Harbor container registry.

Harbor itself doesn't support rate limit protection yet, see open issue. Therefore, we can take advantage of the ingress controller in front of the Harbor. In our case Nginx.

In the ingress-nginx controller, the rate-limiting options can be specified via annotations. E.g. nginx.ingress.kubernetes.io/limit-rps: "1" means that ingress will allow only 1 request from a given IP per second. Client IP is set based on the use of PROXY protocol or from the X-Forwarded-For header value. In the SCS reference implementation, proxy protocol for ingress nginx is enabled by default. This rate-limit annotation is ideal for DDoS attacks mitigation. When clients exceed this limit 503 status code is returned. This status code can be changed via nginx ingress controller configmap:

$ kubectl edit cm -n ingress-nginx ingress-nginx-controller
#  data:
#    limit-req-status-code: "429"

There are other useful annotations, such as limit concurrent connections, number of kilobytes per second or limit burst requests. E.g. bursts can be configured via nginx.ingress.kubernetes.io/limit-burst-multiplier, which is by default 5. It means that burst will be set in this case to limit-rps * limit-burst-multiplier = 1 * 5 = 5.

More information about nginx rate-limiting and real-world examples can be seen in this nginx blog. Also, there is a second option for how the rate limiting can be configured called global rate limiting. Detailed research and comparison are done in this issue. Furthermore, see this PR, which adds a rate limit for the public(registry.scs.community) environment.