Skip to content

Commit 64d7314

Browse files
committed
fix: disable ip rate limit by default
1 parent 4581f05 commit 64d7314

File tree

4 files changed

+23
-1
lines changed

4 files changed

+23
-1
lines changed

charts/no-package-malware/templates/verdaccio-lenient.deployment.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,8 @@ spec:
5555
value: {{ $sentinelHost | quote }}
5656
- name: REDIS_SENTINEL_PORT
5757
value: {{ printf "%d" (int $sentinelPort) | quote }}
58+
- name: VERDACCIO_RATE_LIMIT_IP_ENABLED
59+
value: {{ ternary "true" "false" .Values.registry.ipRateLimitEnabled | quote }}
5860
ports:
5961
- name: http
6062
containerPort: {{ .Values.app.ports.verdaccioLenient }}

charts/no-package-malware/templates/verdaccio-strict.deployment.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,8 @@ spec:
5555
value: {{ $sentinelHost | quote }}
5656
- name: REDIS_SENTINEL_PORT
5757
value: {{ printf "%d" (int $sentinelPort) | quote }}
58+
- name: VERDACCIO_RATE_LIMIT_IP_ENABLED
59+
value: {{ ternary "true" "false" .Values.registry.ipRateLimitEnabled | quote }}
5860
ports:
5961
- name: http
6062
containerPort: {{ .Values.app.ports.verdaccioStrict }}

charts/no-package-malware/values.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,13 @@ components:
183183
replicaCount: 1
184184
resources: {}
185185

186+
# Registry-specific configuration.
187+
registry:
188+
# When true, anonymous/IP-based HTTP rate limiting is enabled in Verdaccio
189+
# via VERDACCIO_RATE_LIMIT_IP_ENABLED. When false (the default), only
190+
# authenticated user-based rate limits are applied by the middleware.
191+
ipRateLimitEnabled: false
192+
186193
# High-availability settings for stateless services.
187194
# When enabled, these recommended replica counts override
188195
# components.*.replicaCount for api, app, and Verdaccio registries.

secure-registry/plugins/verdaccio-rate-limit-middleware/src/index.ts

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
8989
private readonly redisUrl: string;
9090
private readonly windowSeconds: number;
9191
private readonly maxRequests: number;
92+
private readonly ipRateLimitEnabled: boolean;
9293
private redis: Redis | null = null;
9394
private redisHealthy = true;
9495

@@ -112,11 +113,16 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
112113
? config.maxRequests
113114
: 400; // 400 requests per 24h by default
114115

116+
const ipEnv = process.env.VERDACCIO_RATE_LIMIT_IP_ENABLED;
117+
this.ipRateLimitEnabled =
118+
ipEnv === '1' || (ipEnv !== undefined && ipEnv.toLowerCase() === 'true');
119+
115120
this.logger.debug(
116121
{
117122
redisUrl: this.redisUrl,
118123
windowSeconds: this.windowSeconds,
119-
maxRequests: this.maxRequests
124+
maxRequests: this.maxRequests,
125+
ipRateLimitEnabled: this.ipRateLimitEnabled
120126
},
121127
'rate-limit-middleware initialized'
122128
);
@@ -164,6 +170,11 @@ class RateLimitMiddleware implements MiddlewarePlugin<any> {
164170
return `user:${req.remote_user.name}`;
165171
}
166172

173+
// IP-based rate limiting can be disabled via VERDACCIO_RATE_LIMIT_IP_ENABLED.
174+
if (!this.ipRateLimitEnabled) {
175+
return null;
176+
}
177+
167178
const fwd = req.headers['x-forwarded-for'];
168179
if (typeof fwd === 'string' && fwd.length > 0) {
169180
const first = fwd.split(',')[0].trim();

0 commit comments

Comments
 (0)