C
Coder.com5mo ago
pitcrew

Disable Coder rate limiting on high-throughput requests?

Hello everyone, first of all thanks for the work you've done. I'd like to ask if this --dangerous-disable-rate-limits flag is actually officially acknowledged, I found no mention of this in the documentation (maybe I'm not looking hard enough), and it looks like it is hidden by the coder server CLI, but I came across this while we are developing an API with thousands of requests per second. Is this officially supported by Codercom? (acknowledged and considered as a non-deprecated flag in Coder in production environments)
No description
No description
8 Replies
zounce
zounce5mo ago
I haven't seen anything to suggest it's deprecated, but the dangerous part is definitely true, it's an all-or-nothing flag for ratelimiting It would be good to get some proper ratelimiting controls in the product... Out of curiosity, what's your usecase that requires thousands of requests per second? Maybe there's some other way to achieve it? 
{
    Name:        "API Rate Limit",
    Description: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
    // Change the env from the auto-generated CODER_RATE_LIMIT_API to the
    // old value to avoid breaking existing deployments.
    Env:         "CODER_API_RATE_LIMIT",
    Flag:        "api-rate-limit",
    Default:     "512",
    Value:       &c.RateLimit.API,
    Hidden:      true,
    Annotations: serpent.Annotations{}.Mark(annotationExternalProxies, "true"),
},
{
    Name:        "API Rate Limit",
    Description: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
    // Change the env from the auto-generated CODER_RATE_LIMIT_API to the
    // old value to avoid breaking existing deployments.
    Env:         "CODER_API_RATE_LIMIT",
    Flag:        "api-rate-limit",
    Default:     "512",
    Value:       &c.RateLimit.API,
    Hidden:      true,
    Annotations: serpent.Annotations{}.Mark(annotationExternalProxies, "true"),
},
There's also this flag/var, but it's also been deliberately hidden from documentation. Not sure why login requests and file uploads are the only endpoints not effected by this var
Phorcys
Phorcys5mo ago
(@pitcrew)
pitcrew
pitcrewOP5mo ago
We are working on SFMC Journey Builder with hundreds of thousands of records, some reaching a million. It goes from the Journey to our own server we are developing in Coder. The server (it's called Journey Builder Custom Activity): https://developer.salesforce.com/docs/marketing/marketing-cloud/guide/creating-activities.html We came across this problem while scale and load testing in one of our Coder workspaces. We had to deploy the dev build to a reverse proxy directly instead. We can still run it like that, but we prefer an easier plug and play URL so we can point to it quickly in the SFMC platform while in development. (Wildcard URL in Coder does the job well) Is there a way to whitelist a specific workspace for rate limits?
Salesforce Developers
For simplicity, the documentation mostly refers to custom activities. In Journey Builder, custom events and custom activities use the same framework,
Phorcys
Phorcys5mo ago
it's unclear to me what API calls you're making from your message are you directly calling Coder API endpoints to do some scale/load testing of Coder? or are you hitting your app's API a lot of times, and that app is behind Coder?
Phorcys
Phorcys5mo ago
because for scale testing Coder you can just use https://coder.com/docs/admin/infrastructure/scale-testing
Scale Testing | Coder Docs
Ensure your deployment can handle your organization's needs
pitcrew
pitcrewOP5mo ago
We are hitting our app API many times, and it is behind Coder yes
zounce
zounce5mo ago
ah okay, so you're hitting <app>--<agent>--<workspace>--<username>--apps.wsproxy.coder.example ? then yeah, those are subject to the same ratelimits set by CODER_API_RATE_LIMIT and unfortunately we don't support configuring that ratelimit any way other than deployment-wide seems like a reasonable feature request though
Phorcys
Phorcys5mo ago
yeah i agree, i'll make a GH issue and add productboard insights for that

Did you find this page helpful?