Fix multi-instance state coordination with file locking and expiration persistence [minor] #62
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…n persistence When multiple Traefik routers use this plugin, each creates a separate instance that competes for the same state file. This caused verified IPs to lose their TTLs and get re-challenged across instances. Changes: - Add expiration timestamps to State struct for proper TTL serialization - Implement file locking (flock) to prevent concurrent write conflicts - Add state reconciliation to merge in-memory and file-based state - Persist verified IPs immediately after CAPTCHA success (lightweight) - Keep periodic full state saves (1 min) as backup for rate/bot caches Verified IPs now maintain their TTLs across plugin instances, preventing unnecessary re-challenges when requests hit different routers.
Member
Author
|
going to sit on this for a little bit. perhaps deploy locally in a prod environment for a stress test. i am worried about the iops added on the excessive state reconciliation between memory and disk. Since we can't use syscalls in traefik plugins we can't know about writes to the state file shared across services/memory. That leaves us with needing to lock and reconcile disk and memory pretty aggressively. Though since it's happening in a go routine should be fine since it won't be locking/blocking during requests |
we probably aren't getting hit across services with the same ip before we're in a reconcile loop
joecorall
force-pushed
the
shared-state
branch
from
d9339b0 to
6e1d2ae
Compare
joecorall
changed the title
joecorall
force-pushed
the
shared-state
branch
2 times, most recently
from
8bd020f to
6957ca8
Compare
joecorall
force-pushed
the
shared-state
branch
from
6957ca8 to
e53010a
Compare
joecorall
changed the title
joecorall
force-pushed
the
shared-state
branch
from
c61b716 to
1291ff0
Compare
joecorall
changed the title
joecorall
force-pushed
the
shared-state
branch
from
1291ff0 to
25f5131
Compare
use synctest to test state expiry
joecorall
force-pushed
the
shared-state
branch
from
1563505 to
67c20cd
Compare
joecorall
force-pushed
the
shared-state
branch
from
67c20cd to
15b5a32
Compare
joecorall
pushed a commit
to lehigh-university-libraries/isle-preserve
that referenced
this pull request
Oct 27, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When multiple Traefik routers use this plugin, each creates a separate instance that competes for the same state file. This caused verified IPs to lose their TTLs and get re-challenged across instances.
Changes:
Verified IPs now maintain their TTLs across plugin instances, preventing unnecessary re-challenges when requests hit different routers.
Closes #52 #18