Currently, on my logs I can see that am receiving a lot of request for urls containing *.php. I don't support .php and would like to globally drop these requests. These requests have been spiking my CPU & memory usage.
I intend to redirect requests containing .php to this service which just basically drops the request or better still point it to a backend that doesn't exists. Also I intend to use traefik rate limiting for such requests
Is this the proper way of targeting such requests?
Security and Access control for this sort of thing should be handled by a firewall. Traefik has some features built-in for rate limiting or restrictions, but it is implemented as a best-attempt, and is not intended to be used as a security appliance. If you are handling encrypted traffic, then Traefik may be your best option short-term.
How can I properly tell traefik to limit the request to this drop-server-service alone and not to other services?
By putting this path in its own ingress, it can be configured with its own rate-limiting annotations.
I have other ingresses on other namespaces and I would like to apply this *.php filter globally
You may want to build this into a file-based configuration (with a static frontend and a static backend pointing to your kubernetes service), and then add the file config to your ingress controller. Then it will apply globally, and will not be override-able via the kubernetes provider.
Another option is to use a hostless ingress, where it applies to all hosts:
Thank you @daniel.tomcej my traffic is encrypted. As regards to the rate limiting I tried configuring it as below but it seems to have no effect as I sent multiple requests from the same IP and didn't receive the 429 error. maybe am setting this incorrectly ?
Note that if you are using services in front of Traefik, then the service NAT will rewrite the client IP:
So you may have to look at setting service.spec.externalTrafficPolicy on the service fronting Traefik.
Note that not doing this will have the effect that all traffic will be percieved to come from the same client IP, resulting in you hitting your max-conn much sooner than intended.
However, yes, the max-conn annotations are correct, but: traefik.frontend.rule.type: Path is not a valid annotation.