caddy-docker-proxy icon indicating copy to clipboard operation
caddy-docker-proxy copied to clipboard

Published 20 hours ago verified publisher icon lucaslorentz

rate-limit: Do we need to build our own caddy-docker-proxy image?

Open sowinski opened this issue 1 year ago • 1 comments

Hi,

is it correct that we have to build our own build to integrate rate limit or do I miss something?

Thank you :)

sowinski avatar May 02 '24 18:05 sowinski

Yes, to add additional plugins you need to write your own Dockerfile. See the README for an example. https://github.com/lucaslorentz/caddy-docker-proxy?tab=readme-ov-file#custom-images

francislavoie avatar May 02 '24 19:05 francislavoie

Hi @francislavoie, I build my own image and I can see that is successfully build with this module. (Here you can my Dockerfile: https://github.com/lucaslorentz/caddy-docker-proxy/issues/626#issuecomment-2149417344)

If I run locally my setup with a static defined route it works fine:

This is my Caddyfile for my local setup:

{
    auto_https off
	order rate_limit before basicauth
}

:80
rate_limit {
	distributed
	zone dynamic_global {
		key    {remote_host}
		window 60s
		events 75
	}
}

whoami.example.com:80 {
    reverse_proxy 172.22.0.3:80
}

But if I want to use this in production with the caddy-docker-proxy container "discovery" functionality with labels it is not working. Dockerfile for production:

{
	order rate_limit before basicauth
}

:80
rate_limit {
	distributed
	zone dynamic_global {
		key    {remote_host}
		window 60s
		events 75
	}
}

And is an example service with my labels

...
labels:
      caddy: "www.example.com"
      caddy.log:
      caddy.reverse_proxy: "{{upstreams 8000}}"
      caddy.encode: "gzip"
...

Have you or someone else ever successfully used caddy-docker-proxy with the rate-limit plugin? (https://github.com/mholt/caddy-ratelimit)

sowinski avatar Jun 05 '24 15:06 sowinski

Rate limit is a directive so it must go within a site block. You can't put it top level, otherwise Caddy will parse it as a site address. If you have two sites, then braces are required. If you use labels, then rate_limit is just another directive, like reverse_proxy etc.

francislavoie avatar Jun 05 '24 17:06 francislavoie

@francislavoie So I can not set a global rate limit for all https calls? I need to add it to all container manually with labels?

sowinski avatar Jun 05 '24 18:06 sowinski

Rate limit is a directive so it must go within a site block. This is what you mean correct? To add it separately in each docker compose over labels?

Can you confirm that it is not possible to add a global rate limit for all containers/services in the main Caddyfile?

version: '3.7'
services:
  whoami:
    image: traefik/whoami
    networks:
      - caddy
    labels:
      caddy: "whoami.example.com"
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.tls: "internal"
      caddy.rate_limit.distributed:
      caddy.rate_limit.zone: "dynamic_global"
      caddy.rate_limit.zone.key: "{remote_host}"
      caddy.rate_limit.zone.window: "1s"
      caddy.rate_limit.zone.events: "1"

networks:
  caddy:
    external: true

sowinski avatar Jun 05 '24 18:06 sowinski

There's no such thing as global HTTP routes in Caddy. All HTTP routes must go within a site block.

francislavoie avatar Jun 05 '24 19:06 francislavoie

@francislavoie Thank you!

sowinski avatar Jun 05 '24 19:06 sowinski