feat: block instances (#7129)

* docs: fix init description typos * feat: block instances using limits * translate * unit tests * fix translations * redirect /ui/login * fix http interceptor * cleanup * fix http interceptor * fix: delete cookies on gateway 200 * add integration tests * add command test * docs * fix integration tests * add bulk api and integration test * optimize bulk set limits * unit test bulk limits * fix broken link * fix assets middleware * fix broken link * validate instance id format * Update internal/eventstore/search_query.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove support for owner bulk limit commands * project limits to instances * migrate instances projection * Revert "migrate instances projection" This reverts commit 214218732a. * join limits, remove owner * remove todo * use optional bool * normally validate instance ids * use 302 * cleanup * cleanup * Update internal/api/grpc/system/limits_converter.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove owner * remove owner from reset --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:57:33 +00:00 · 2024-01-17 11:16:48 +01:00
parent d9d376a275
commit ed0bc39ea4
80 changed files with 1609 additions and 438 deletions
--- a/docs/docs/self-hosting/manage/usage_control.md
+++ b/docs/docs/self-hosting/manage/usage_control.md
@@ -7,6 +7,26 @@ If you have a self-hosted ZITADEL environment, you can limit the usage of your [
 For example, if you provide your customers [their own virtual instances](/concepts/structure/instance#multiple-virtual-instances) with access on their own domains, you can design a pricing model based on the usage of their instances.
 The usage control features are currently limited to the instance level only.

+## Block Instances
+
+You can block an instance using the [system API](/category/apis/resources/system/limits).
+
+Most requests to a blocked instance are rejected with the HTTP status *429 Too Many Requests* or the gRPC status *8 Resource Exhausted*.
+However, requests to the [system API](/apis/introduction#system) are still allowed.
+Requests to paths with the prefix */ui/login* return a redirect with HTTP status *302 Found* to */ui/console*, where the user is guided to *InstanceManagementURL*.
+Blocked HTTP requests additionally set a cookie to make it easy to block traffic before it reaches your ZITADEL runtime, for example with a WAF rule.
+
+You can block new instances by default using the *DefaultInstance.Limits.Block* runtime configuration.
+The following snippets shows the default YAML:
+
+```yaml
+DefaultInstance:
+  Limits:
+    # If Block is true, all requests except to /ui/console or the system API are blocked and /ui/login is redirected to /ui/console.
+    # /ui/console shows a message that the instance is blocked with a link to Console.InstanceManagementURL
+    Block: # ZITADEL_DEFAULTINSTANCE_LIMITS_BLOCK
+```
+
 ## Limit Audit Trails

 You can restrict the maximum age of events returned by the following APIs:
@@ -107,8 +127,9 @@ DefaultInstance:

 ### Exhausted Authenticated Requests

-If a quota is configured to limit requests and the quotas amount is exhausted, all further requests are blocked except requests to the System API.
-Also, a cookie is set, to make it easier to block further traffic before it reaches your ZITADEL runtime.
+If a quota is configured to limit requests and the quotas amount is exhausted, all further authenticated requests are blocked except requests to the [system API](/apis/introduction#system).
+Also, a cookie is set, to make it easier to block further traffic before it reaches your ZITADEL runtime, for example with a WAF rule.
+The console is still served, but it only shows a dialog that says that the instance is blocked with a link to *InstanceManagementURL*.

 ### Exhausted Action Run Seconds