From a38d71b4cbf795b56fb706470e6e73f7e27a9bf0 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Thu, 20 Mar 2025 12:54:22 -0500
Subject: [PATCH 01/10] add middleware for request prioritization

This adds a middleware for overload protection, that is intended to help protect against malicious scrapers. It does this by via  [`codel`](https://github.com/bohde/codel), which will perform the following:

1. Limit the number of in-flight requests to some user defined max
2. When in-flight requests have reached their max, begin queuing requests, with logged in requests having priority above logged out requests
3. Once a request has been queued for too long, it has a percentage chance to be rejected based upon how overloaded the entire system is.

When a server experiences more traffic than it  can handle, this has the effect of keeping latency low for logged in users, while rejecting just enough requests from logged out users to keep the service from being overloaded.

Below are benchmarks showing a system at 100% capacity and 200% capacity in a few different configurations. The 200% capacity is shown to highlight an extreme case. I used [hey](https://github.com/rakyll/hey) to simulate the bot traffic:

```
hey -z 1m -c 10 "http://localhost:3000/rowan/demo/issues?state=open&type=all&labels=&milestone=0&project=0&assignee=0&poster=0&q=fix"
```

The concurrency of 10 was chosen from experiments where my local server began to experience higher latency.

Results

| Method | Concurrency |  p95 latency | Successful RPS | Requests Dropped |
|--------|--------|--------|--------|--------|
| QoS Off | 10 | 0.2960s | 44 rps | 0% |
| QoS Off | 20 | 0.5667s | 44 rps | 0%|
| QoS On | 20 |  0.4409s | 48 rps | 10% |
| QoS On 50% Logged In* | 10 | 0.3891s | 33 rps | 7% |
| QoS On 50% Logged Out* | 10  | 2.0388s | 13 rps | 6% |

Logged in users were given the additional parameter ` -H "Cookie: i_like_gitea=<session>`.

Tests with `*` were run at the same time, representing a workload with mixed logged in & logged out users. Results are separated to show prioritization, and how logged in users experience a 100ms latency increase under load, compared to the 1.6 seconds logged out users see.
---
 assets/go-licenses.json     |   5 ++
 custom/conf/app.example.ini |  10 +++
 go.mod                      |   1 +
 go.sum                      |   6 ++
 modules/setting/service.go  |  13 ++++
 routers/common/qos.go       | 121 ++++++++++++++++++++++++++++++++++++
 routers/web/web.go          |   4 ++
 7 files changed, 160 insertions(+)
 create mode 100644 routers/common/qos.go

diff --git a/assets/go-licenses.json b/assets/go-licenses.json
index 0b6a7fd99a6c9..f1a35ce1e914d 100644
--- a/assets/go-licenses.json
+++ b/assets/go-licenses.json
@@ -294,6 +294,11 @@
     "path": "github.com/bmatcuk/doublestar/v4/LICENSE",
     "licenseText": "The MIT License (MIT)\n\nCopyright (c) 2014 Bob Matcuk\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n"
   },
+  {
+    "name": "github.com/bohde/codel",
+    "path": "github.com/bohde/codel/LICENSE",
+    "licenseText": "BSD 3-Clause License\n\nCopyright (c) 2018, Rowan Bohde\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n  list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n  this list of conditions and the following disclaimer in the documentation\n  and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holder nor the names of its\n  contributors may be used to endorse or promote products derived from\n  this software without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n"
+  },
   {
     "name": "github.com/boombuler/barcode",
     "path": "github.com/boombuler/barcode/LICENSE",
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 07a6ebdcf2273..7d22d2c5b5885 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -926,6 +926,16 @@ LEVEL = Info
 ;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https
+;;
+;; Enable request quality of service and load shedding.
+; QOS_ENABLED = false
+;; The number of requests that are in flight to service before queuing
+;; begins. Default is 4 * number of CPUs
+; QOS_MAX_INFLIGHT =
+;; The maximum number of requests that can be enqueued before they will be dropped.
+; QOS_MAX_WAITING = 100
+;; The target time for a request to be enqueued before it might be dropped.
+; QOS_TARGET_WAIT_TIME = 50ms
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/go.mod b/go.mod
index 094aeeb6bc84d..bbe0d5a4c98b8 100644
--- a/go.mod
+++ b/go.mod
@@ -32,6 +32,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/codecommit v1.28.1
 	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb
 	github.com/blevesearch/bleve/v2 v2.4.2
+	github.com/bohde/codel v0.2.0
 	github.com/buildkite/terminal-to-html/v3 v3.16.8
 	github.com/caddyserver/certmagic v0.22.0
 	github.com/charmbracelet/git-lfs-transfer v0.2.0
diff --git a/go.sum b/go.sum
index cde24edce8aa7..9dbb7df060382 100644
--- a/go.sum
+++ b/go.sum
@@ -179,6 +179,9 @@ github.com/blevesearch/zapx/v16 v16.1.5 h1:b0sMcarqNFxuXvjoXsF8WtwVahnxyhEvBSRJi
 github.com/blevesearch/zapx/v16 v16.1.5/go.mod h1:J4mSF39w1QELc11EWRSBFkPeZuO7r/NPKkHzDCoiaI8=
 github.com/bmatcuk/doublestar/v4 v4.8.1 h1:54Bopc5c2cAvhLRAzqOGCYHYyhcDHsFF4wWIR5wKP38=
 github.com/bmatcuk/doublestar/v4 v4.8.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q=
+github.com/bohde/codel v0.2.0 h1:fzF7ibgKmCfQbOzQCblmQcwzDRmV7WO7VMLm/hDvD3E=
+github.com/bohde/codel v0.2.0/go.mod h1:Idb1IRvTdwkRjIjguLIo+FXhIBhcpGl94o7xra6ggWk=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
 github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -881,6 +884,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
@@ -1025,6 +1029,8 @@ modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg=
 modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 mvdan.cc/xurls/v2 v2.6.0 h1:3NTZpeTxYVWNSokW3MKeyVkz/j7uYXYiMtXRUfmjbgI=
 mvdan.cc/xurls/v2 v2.6.0/go.mod h1:bCvEZ1XvdA6wDnxY7jPPjEmigDtvtvPXAD/Exa9IMSk=
+pgregory.net/rapid v0.4.2 h1:lsi9jhvZTYvzVpeG93WWgimPRmiJQfGFRNTEZh1dtY0=
+pgregory.net/rapid v0.4.2/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251 h1:mUcz5b3FJbP5Cvdq7Khzn6J9OCUQJaBwgBkCR+MOwSs=
 strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:FJGmPh3vz9jSos1L/F91iAgnC/aejc0wIIrF2ZwJxdY=
 xorm.io/builder v0.3.13 h1:a3jmiVVL19psGeXx8GIurTp7p0IIgqeDmwhcR6BAOAo=
diff --git a/modules/setting/service.go b/modules/setting/service.go
index d9535efec6ee8..58c0d778d5cfb 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -5,6 +5,7 @@ package setting
 
 import (
 	"regexp"
+	"runtime"
 	"strings"
 	"time"
 
@@ -98,6 +99,13 @@ var Service = struct {
 		DisableOrganizationsPage bool `ini:"DISABLE_ORGANIZATIONS_PAGE"`
 		DisableCodePage          bool `ini:"DISABLE_CODE_PAGE"`
 	} `ini:"service.explore"`
+
+	QoS struct {
+		Enabled             bool
+		MaxInFlightRequests int
+		MaxWaitingRequests  int
+		TargetWaitTime      time.Duration
+	}
 }{
 	AllowedUserVisibilityModesSlice: []bool{true, true, true},
 }
@@ -254,6 +262,11 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 
 	mustMapSetting(rootCfg, "service.explore", &Service.Explore)
 
+	Service.QoS.Enabled = sec.Key("QOS_ENABLED").MustBool(false)
+	Service.QoS.MaxInFlightRequests = sec.Key("QOS_MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
+	Service.QoS.MaxWaitingRequests = sec.Key("QOS_MAX_WAITING").MustInt(100)
+	Service.QoS.TargetWaitTime = sec.Key("QOS_TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
+
 	loadOpenIDSetting(rootCfg)
 }
 
diff --git a/routers/common/qos.go b/routers/common/qos.go
new file mode 100644
index 0000000000000..d47b5cd4dac2d
--- /dev/null
+++ b/routers/common/qos.go
@@ -0,0 +1,121 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/web/middleware"
+
+	"github.com/bohde/codel"
+)
+
+type Priority int
+
+func (p Priority) String() string {
+	switch p {
+	case HighPriority:
+		return "high"
+	case DefaultPriority:
+		return "default"
+	case LowPriority:
+		return "low"
+	default:
+		return fmt.Sprintf("%d", p)
+	}
+}
+
+const (
+	LowPriority     = Priority(-10)
+	DefaultPriority = Priority(0)
+	HighPriority    = Priority(10)
+)
+
+// QoS implements quality of service for requests, based upon whether
+// or not the user is logged in. All traffic may get dropped, and
+// anonymous users are deprioritized.
+func QoS() func(next http.Handler) http.Handler {
+	maxOutstanding := setting.Service.QoS.MaxInFlightRequests
+	if maxOutstanding <= 0 {
+		maxOutstanding = 10
+	}
+
+	c := codel.NewPriority(codel.Options{
+		// The maximum number of waiting requests.
+		MaxPending: setting.Service.QoS.MaxWaitingRequests,
+		// The maximum number of in-flight requests.
+		MaxOutstanding: maxOutstanding,
+		// The target latency that a blocked request should wait
+		// for. After this, it might be dropped.
+		TargetLatency: setting.Service.QoS.TargetWaitTime,
+	})
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			ctx := req.Context()
+
+			priority := DefaultPriority
+
+			// If the user is logged in, assign high priority.
+			data := middleware.GetContextData(req.Context())
+			if _, ok := data[middleware.ContextDataKeySignedUser].(*user_model.User); ok {
+				priority = HighPriority
+			} else if IsGitContents(req.URL.Path) {
+				// Otherwise, if the path would is accessing git contents directly, mark as low priority
+				priority = LowPriority
+			}
+
+			// Check if the request can begin processing.
+			err := c.Acquire(ctx, int(priority))
+			if err != nil {
+				// If it failed, the service is over capacity and should error
+				http.Error(w, "Service Unavailable", http.StatusServiceUnavailable)
+				return
+			}
+
+			// Release long-polling immediately, so they don't always
+			// take up an in-flight request
+			if strings.Contains(req.URL.Path, "/user/events") {
+				c.Release()
+			} else {
+				defer c.Release()
+			}
+
+			next.ServeHTTP(w, req)
+		})
+	}
+}
+
+func IsGitContents(path string) bool {
+	parts := []string{
+		"refs",
+		"archive",
+		"commit",
+		"graph",
+		"blame",
+		"branches",
+		"tags",
+		"labels",
+		"stars",
+		"search",
+		"activity",
+		"wiki",
+		"watchers",
+		"compare",
+		"raw",
+		"src",
+		"commits",
+	}
+
+	for _, p := range parts {
+		if strings.Contains(path, p) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index fcddcad1b12d6..a8065a3ea98fb 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -272,6 +272,10 @@ func Routes() *web.Router {
 	// Get user from session if logged in.
 	mid = append(mid, webAuth(buildAuthGroup()))
 
+	if setting.Service.QoS.Enabled {
+		mid = append(mid, common.QoS())
+	}
+
 	// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route
 	mid = append(mid, chi_middleware.GetHead)
 

From aec549db53676988ec40d0aac55bd75cc62bb0a2 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Mon, 7 Apr 2025 17:54:21 -0500
Subject: [PATCH 02/10] apply review feedback

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 routers/common/qos.go      | 59 ++++++++++++++++----------------------
 routers/common/qos_test.go | 58 +++++++++++++++++++++++++++++++++++++
 routers/web/web.go         |  6 +---
 3 files changed, 84 insertions(+), 39 deletions(-)
 create mode 100644 routers/common/qos_test.go

diff --git a/routers/common/qos.go b/routers/common/qos.go
index d47b5cd4dac2d..b4395373f2993 100644
--- a/routers/common/qos.go
+++ b/routers/common/qos.go
@@ -4,6 +4,7 @@
 package common
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"strings"
@@ -13,6 +14,7 @@ import (
 	"code.gitea.io/gitea/modules/web/middleware"
 
 	"github.com/bohde/codel"
+	"github.com/go-chi/chi/v5"
 )
 
 type Priority int
@@ -40,6 +42,10 @@ const (
 // or not the user is logged in. All traffic may get dropped, and
 // anonymous users are deprioritized.
 func QoS() func(next http.Handler) http.Handler {
+	if !setting.Service.QoS.Enabled {
+		return nil
+	}
+
 	maxOutstanding := setting.Service.QoS.MaxInFlightRequests
 	if maxOutstanding <= 0 {
 		maxOutstanding = 10
@@ -59,16 +65,7 @@ func QoS() func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			ctx := req.Context()
 
-			priority := DefaultPriority
-
-			// If the user is logged in, assign high priority.
-			data := middleware.GetContextData(req.Context())
-			if _, ok := data[middleware.ContextDataKeySignedUser].(*user_model.User); ok {
-				priority = HighPriority
-			} else if IsGitContents(req.URL.Path) {
-				// Otherwise, if the path would is accessing git contents directly, mark as low priority
-				priority = LowPriority
-			}
+			priority := requestPriority(ctx)
 
 			// Check if the request can begin processing.
 			err := c.Acquire(ctx, int(priority))
@@ -91,31 +88,25 @@ func QoS() func(next http.Handler) http.Handler {
 	}
 }
 
-func IsGitContents(path string) bool {
-	parts := []string{
-		"refs",
-		"archive",
-		"commit",
-		"graph",
-		"blame",
-		"branches",
-		"tags",
-		"labels",
-		"stars",
-		"search",
-		"activity",
-		"wiki",
-		"watchers",
-		"compare",
-		"raw",
-		"src",
-		"commits",
+// requestPriority assigns a priority value for a request based upon
+// whether the user is logged in and how expensive the endpoint is
+func requestPriority(ctx context.Context) Priority {
+	// If the user is logged in, assign high priority.
+	data := middleware.GetContextData(ctx)
+	if _, ok := data[middleware.ContextDataKeySignedUser].(*user_model.User); ok {
+		return HighPriority
 	}
 
-	for _, p := range parts {
-		if strings.Contains(path, p) {
-			return true
-		}
+	rctx := chi.RouteContext(ctx)
+	if rctx == nil {
+		return DefaultPriority
 	}
-	return false
+
+	// If we're operating in the context of a repo, assign low priority
+	routePattern := rctx.RoutePattern()
+	if strings.HasPrefix(routePattern, "/{username}/{reponame}") {
+		return LowPriority
+	}
+
+	return DefaultPriority
 }
diff --git a/routers/common/qos_test.go b/routers/common/qos_test.go
new file mode 100644
index 0000000000000..68f9954217917
--- /dev/null
+++ b/routers/common/qos_test.go
@@ -0,0 +1,58 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package common
+
+import (
+	"testing"
+
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/web/middleware"
+	"code.gitea.io/gitea/services/contexttest"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRequestPriority(t *testing.T) {
+	type test struct {
+		Name         string
+		User         *user_model.User
+		RoutePattern string
+		Expected     Priority
+	}
+
+	cases := []test{
+		{
+			Name:     "Logged In",
+			User:     &user_model.User{},
+			Expected: HighPriority,
+		},
+		{
+			Name:         "Sign In",
+			RoutePattern: "/user/login",
+			Expected:     DefaultPriority,
+		},
+		{
+			Name:         "User Repo",
+			RoutePattern: "/{username}/{reponame}/src/branch/main",
+			Expected:     LowPriority,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.Name, func(t *testing.T) {
+			ctx, _ := contexttest.MockContext(t, "")
+
+			if tc.User != nil {
+				data := middleware.GetContextData(ctx)
+				data[middleware.ContextDataKeySignedUser] = tc.User
+			}
+
+			rctx := chi.RouteContext(ctx)
+			rctx.RoutePatterns = []string{tc.RoutePattern}
+
+			assert.Exactly(t, tc.Expected, requestPriority(ctx))
+		})
+	}
+}
diff --git a/routers/web/web.go b/routers/web/web.go
index a8065a3ea98fb..f28dc6baa4d62 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -272,10 +272,6 @@ func Routes() *web.Router {
 	// Get user from session if logged in.
 	mid = append(mid, webAuth(buildAuthGroup()))
 
-	if setting.Service.QoS.Enabled {
-		mid = append(mid, common.QoS())
-	}
-
 	// GetHead allows a HEAD request redirect to GET if HEAD method is not defined for that route
 	mid = append(mid, chi_middleware.GetHead)
 
@@ -289,7 +285,7 @@ func Routes() *web.Router {
 
 	webRoutes := web.NewRouter()
 	webRoutes.Use(mid...)
-	webRoutes.Group("", func() { registerWebRoutes(webRoutes) }, common.BlockExpensive())
+	webRoutes.Group("", func() { registerWebRoutes(webRoutes) }, common.BlockExpensive(), common.QoS())
 	routes.Mount("", webRoutes)
 	return routes
 }

From 809957652819cc8608c1726425725ebff7dcd119 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Tue, 8 Apr 2025 06:22:16 -0500
Subject: [PATCH 03/10] assign repo home page default priority

---
 routers/common/qos.go      | 2 +-
 routers/common/qos_test.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/routers/common/qos.go b/routers/common/qos.go
index b4395373f2993..ba22a5b5e367d 100644
--- a/routers/common/qos.go
+++ b/routers/common/qos.go
@@ -104,7 +104,7 @@ func requestPriority(ctx context.Context) Priority {
 
 	// If we're operating in the context of a repo, assign low priority
 	routePattern := rctx.RoutePattern()
-	if strings.HasPrefix(routePattern, "/{username}/{reponame}") {
+	if strings.HasPrefix(routePattern, "/{username}/{reponame}/") {
 		return LowPriority
 	}
 
diff --git a/routers/common/qos_test.go b/routers/common/qos_test.go
index 68f9954217917..17dc9cb30c914 100644
--- a/routers/common/qos_test.go
+++ b/routers/common/qos_test.go
@@ -33,6 +33,11 @@ func TestRequestPriority(t *testing.T) {
 			RoutePattern: "/user/login",
 			Expected:     DefaultPriority,
 		},
+		{
+			Name:         "Repo Home",
+			RoutePattern: "/{username}/{reponame}",
+			Expected:     DefaultPriority,
+		},
 		{
 			Name:         "User Repo",
 			RoutePattern: "/{username}/{reponame}/src/branch/main",

From bde2fd1655ea1727f04ff1af857b56437976b910 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Wed, 9 Apr 2025 18:27:49 -0500
Subject: [PATCH 04/10] use `service.qos` block to configure qos settings

---
 custom/conf/app.example.ini | 24 +++++++++++++++---------
 modules/setting/service.go  | 11 ++++++-----
 2 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 7d22d2c5b5885..cc6a750132b43 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -927,15 +927,6 @@ LEVEL = Info
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https
 ;;
-;; Enable request quality of service and load shedding.
-; QOS_ENABLED = false
-;; The number of requests that are in flight to service before queuing
-;; begins. Default is 4 * number of CPUs
-; QOS_MAX_INFLIGHT =
-;; The maximum number of requests that can be enqueued before they will be dropped.
-; QOS_MAX_WAITING = 100
-;; The target time for a request to be enqueued before it might be dropped.
-; QOS_TARGET_WAIT_TIME = 50ms
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -956,6 +947,21 @@ LEVEL = Info
 ;DISABLE_CODE_PAGE = false
 ;;
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;[service.qos]
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Enable request quality of service and load shedding.
+; ENABLED = false
+;; The number of requests that are in flight to service before queuing
+;; begins. Default is 4 * number of CPUs
+; MAX_INFLIGHT =
+;; The maximum number of requests that can be enqueued before they will be dropped.
+; MAX_WAITING = 100
+;; The target time for a request to be enqueued before it might be dropped.
+; TARGET_WAIT_TIME = 50ms
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Other Settings
diff --git a/modules/setting/service.go b/modules/setting/service.go
index 58c0d778d5cfb..5b4306b08dc11 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -262,12 +262,13 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 
 	mustMapSetting(rootCfg, "service.explore", &Service.Explore)
 
-	Service.QoS.Enabled = sec.Key("QOS_ENABLED").MustBool(false)
-	Service.QoS.MaxInFlightRequests = sec.Key("QOS_MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
-	Service.QoS.MaxWaitingRequests = sec.Key("QOS_MAX_WAITING").MustInt(100)
-	Service.QoS.TargetWaitTime = sec.Key("QOS_TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
-
 	loadOpenIDSetting(rootCfg)
+
+	qosSection := rootCfg.Section("service.qos")
+	Service.QoS.Enabled = qosSection.Key("ENABLED").MustBool(false)
+	Service.QoS.MaxInFlightRequests = qosSection.Key("MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
+	Service.QoS.MaxWaitingRequests = qosSection.Key("MAX_WAITING").MustInt(100)
+	Service.QoS.TargetWaitTime = qosSection.Key("TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
 }
 
 func loadOpenIDSetting(rootCfg ConfigProvider) {

From 7e69399c9fc258f8e2708fd54d41d793b11cf673 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Wed, 9 Apr 2025 19:16:48 -0500
Subject: [PATCH 05/10] use `qos` block to configure QOS

---
 custom/conf/app.example.ini |  2 +-
 modules/setting/service.go  | 15 +++++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index cc6a750132b43..44624ce8dae47 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -949,7 +949,7 @@ LEVEL = Info
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;[service.qos]
+;[qos]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Enable request quality of service and load shedding.
diff --git a/modules/setting/service.go b/modules/setting/service.go
index 5b4306b08dc11..575a67e29bc28 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -263,12 +263,7 @@ func loadServiceFrom(rootCfg ConfigProvider) {
 	mustMapSetting(rootCfg, "service.explore", &Service.Explore)
 
 	loadOpenIDSetting(rootCfg)
-
-	qosSection := rootCfg.Section("service.qos")
-	Service.QoS.Enabled = qosSection.Key("ENABLED").MustBool(false)
-	Service.QoS.MaxInFlightRequests = qosSection.Key("MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
-	Service.QoS.MaxWaitingRequests = qosSection.Key("MAX_WAITING").MustInt(100)
-	Service.QoS.TargetWaitTime = qosSection.Key("TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
+	loadQosSetting(rootCfg)
 }
 
 func loadOpenIDSetting(rootCfg ConfigProvider) {
@@ -290,3 +285,11 @@ func loadOpenIDSetting(rootCfg ConfigProvider) {
 		}
 	}
 }
+
+func loadQosSetting(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("qos")
+	Service.QoS.Enabled = sec.Key("ENABLED").MustBool(false)
+	Service.QoS.MaxInFlightRequests = sec.Key("MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
+	Service.QoS.MaxWaitingRequests = sec.Key("MAX_WAITING").MustInt(100)
+	Service.QoS.TargetWaitTime = sec.Key("TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
+}

From 5078f67e5b2384b4e9142cafa45f7a4d18f36394 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Thu, 10 Apr 2025 08:59:25 -0500
Subject: [PATCH 06/10] if the client requests HTML, render an HTML 503 Service
 Unavailable page.

---
 options/locale/locale_en-US.ini |  1 +
 routers/common/qos.go           | 36 +++++++++++++++++++++++++++++++--
 routers/common/qos_test.go      | 28 +++++++++++++++++++++++++
 templates/status/503.tmpl       | 12 +++++++++++
 4 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 templates/status/503.tmpl

diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index 96c99615f5d52..fc48c47fd8479 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -117,6 +117,7 @@ files = Files
 
 error = Error
 error404 = The page you are trying to reach either <strong>does not exist</strong> or <strong>you are not authorized</strong> to view it.
+error503 = The server was unable to complete your request. Please try again later.
 go_back = Go Back
 invalid_data = Invalid data: %v
 
diff --git a/routers/common/qos.go b/routers/common/qos.go
index ba22a5b5e367d..6f2ed0da023cd 100644
--- a/routers/common/qos.go
+++ b/routers/common/qos.go
@@ -10,13 +10,18 @@ import (
 	"strings"
 
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/web/middleware"
+	giteacontext "code.gitea.io/gitea/services/context"
 
 	"github.com/bohde/codel"
 	"github.com/go-chi/chi/v5"
 )
 
+const tplStatus503 templates.TplName = "status/503"
+
 type Priority int
 
 func (p Priority) String() string {
@@ -70,8 +75,7 @@ func QoS() func(next http.Handler) http.Handler {
 			// Check if the request can begin processing.
 			err := c.Acquire(ctx, int(priority))
 			if err != nil {
-				// If it failed, the service is over capacity and should error
-				http.Error(w, "Service Unavailable", http.StatusServiceUnavailable)
+				renderServiceUnavailable(w, req)
 				return
 			}
 
@@ -110,3 +114,31 @@ func requestPriority(ctx context.Context) Priority {
 
 	return DefaultPriority
 }
+
+// renderServiceUnavailable will render an HTTP 503 Service
+// Unavailable page, providing HTML if the client accepts it.
+func renderServiceUnavailable(w http.ResponseWriter, req *http.Request) {
+	acceptsHTML := false
+	for _, part := range req.Header["Accept"] {
+		if strings.Contains(part, "text/html") {
+			acceptsHTML = true
+			break
+		}
+	}
+
+	// If the client doesn't accept HTML, then render a plain text response
+	if !acceptsHTML {
+		http.Error(w, "503 Service Unavailable", http.StatusServiceUnavailable)
+		return
+	}
+
+	tmplCtx := giteacontext.TemplateContext{}
+	tmplCtx["Locale"] = middleware.Locale(w, req)
+	ctxData := middleware.GetContextData(req.Context())
+	err := templates.HTMLRenderer().HTML(w, http.StatusServiceUnavailable, tplStatus503, ctxData, tmplCtx)
+	if err != nil {
+		log.Error("Error occurs again when rendering service unavailable page: %v", err)
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte("Internal server error, please collect error logs and report to Gitea issue tracker"))
+	}
+}
diff --git a/routers/common/qos_test.go b/routers/common/qos_test.go
index 17dc9cb30c914..850a5f51dbef1 100644
--- a/routers/common/qos_test.go
+++ b/routers/common/qos_test.go
@@ -4,6 +4,7 @@
 package common
 
 import (
+	"net/http"
 	"testing"
 
 	user_model "code.gitea.io/gitea/models/user"
@@ -61,3 +62,30 @@ func TestRequestPriority(t *testing.T) {
 		})
 	}
 }
+
+func TestRenderServiceUnavailable(t *testing.T) {
+	t.Run("HTML", func(t *testing.T) {
+		ctx, resp := contexttest.MockContext(t, "")
+		ctx.Req.Header.Set("Accept", "text/html")
+
+		renderServiceUnavailable(resp, ctx.Req)
+		assert.Equal(t, http.StatusServiceUnavailable, resp.Code)
+		assert.Contains(t, resp.Header().Get("Content-Type"), "text/html")
+
+		body := resp.Body.String()
+		assert.Contains(t, body, `lang="en-US"`)
+		assert.Contains(t, body, "503 Service Unavailable")
+	})
+
+	t.Run("plain", func(t *testing.T) {
+		ctx, resp := contexttest.MockContext(t, "")
+		ctx.Req.Header.Set("Accept", "text/plain")
+
+		renderServiceUnavailable(resp, ctx.Req)
+		assert.Equal(t, http.StatusServiceUnavailable, resp.Code)
+		assert.Contains(t, resp.Header().Get("Content-Type"), "text/plain")
+
+		body := resp.Body.String()
+		assert.Contains(t, body, "503 Service Unavailable")
+	})
+}
diff --git a/templates/status/503.tmpl b/templates/status/503.tmpl
new file mode 100644
index 0000000000000..1a4a872c0dbaf
--- /dev/null
+++ b/templates/status/503.tmpl
@@ -0,0 +1,12 @@
+{{template "base/head" .}}
+<div role="main" aria-label="503 Service Unavailable" class="page-content">
+  <div class="ui container">
+	<div class="status-page-error">
+	  <div class="status-page-error-title">503 Service Unavailable</div>
+	  <div class="tw-text-center">
+		<div class="tw-my-4">{{ctx.Locale.Tr "error503"}}</div>
+	  </div>
+	</div>
+  </div>
+</div>
+{{template "base/footer" .}}

From be160b0a24aa70a3dcf1638cd2250d25bc13f15b Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Thu, 10 Apr 2025 09:56:15 -0500
Subject: [PATCH 07/10] fix indentation

---
 templates/status/503.tmpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/status/503.tmpl b/templates/status/503.tmpl
index 1a4a872c0dbaf..5b1db9fc0706b 100644
--- a/templates/status/503.tmpl
+++ b/templates/status/503.tmpl
@@ -1,12 +1,12 @@
 {{template "base/head" .}}
 <div role="main" aria-label="503 Service Unavailable" class="page-content">
-  <div class="ui container">
-	<div class="status-page-error">
-	  <div class="status-page-error-title">503 Service Unavailable</div>
-	  <div class="tw-text-center">
-		<div class="tw-my-4">{{ctx.Locale.Tr "error503"}}</div>
-	  </div>
+	<div class="ui container">
+		<div class="status-page-error">
+			<div class="status-page-error-title">503 Service Unavailable</div>
+			<div class="tw-text-center">
+				<div class="tw-my-4">{{ctx.Locale.Tr "error503"}}</div>
+			</div>
+		</div>
 	</div>
-  </div>
 </div>
 {{template "base/footer" .}}

From 4fe9e26f27582692545fa197305c46d15464eac8 Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Fri, 11 Apr 2025 07:05:54 -0500
Subject: [PATCH 08/10] relax default values

These are more appropriate for slower hardware
---
 custom/conf/app.example.ini | 2 +-
 modules/setting/service.go  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 44624ce8dae47..b59c7324304d0 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -960,7 +960,7 @@ LEVEL = Info
 ;; The maximum number of requests that can be enqueued before they will be dropped.
 ; MAX_WAITING = 100
 ;; The target time for a request to be enqueued before it might be dropped.
-; TARGET_WAIT_TIME = 50ms
+; TARGET_WAIT_TIME = 250ms
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/modules/setting/service.go b/modules/setting/service.go
index 575a67e29bc28..b1b9fedd62afb 100644
--- a/modules/setting/service.go
+++ b/modules/setting/service.go
@@ -291,5 +291,5 @@ func loadQosSetting(rootCfg ConfigProvider) {
 	Service.QoS.Enabled = sec.Key("ENABLED").MustBool(false)
 	Service.QoS.MaxInFlightRequests = sec.Key("MAX_INFLIGHT").MustInt(4 * runtime.NumCPU())
 	Service.QoS.MaxWaitingRequests = sec.Key("MAX_WAITING").MustInt(100)
-	Service.QoS.TargetWaitTime = sec.Key("TARGET_WAIT_TIME").MustDuration(50 * time.Millisecond)
+	Service.QoS.TargetWaitTime = sec.Key("TARGET_WAIT_TIME").MustDuration(250 * time.Millisecond)
 }

From d2af28d64531de3afdfd38afd6224c61bf22b3cd Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Fri, 11 Apr 2025 13:40:48 -0500
Subject: [PATCH 09/10] add error log when dropping a request

---
 routers/common/qos.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/routers/common/qos.go b/routers/common/qos.go
index 6f2ed0da023cd..e50fbe4f6990f 100644
--- a/routers/common/qos.go
+++ b/routers/common/qos.go
@@ -75,6 +75,7 @@ func QoS() func(next http.Handler) http.Handler {
 			// Check if the request can begin processing.
 			err := c.Acquire(ctx, int(priority))
 			if err != nil {
+				log.Error("QoS error, dropping request of priority %s: %v", priority, err)
 				renderServiceUnavailable(w, req)
 				return
 			}

From 6fb00219ae5be2af02fe8f5dacea123b59581e5d Mon Sep 17 00:00:00 2001
From: Rowan Bohde <rowan@allspice.io>
Date: Sat, 12 Apr 2025 08:46:14 -0500
Subject: [PATCH 10/10] update app.example.ini to match documentation

See https://gitea.com/gitea/docs/pulls/208
---
 custom/conf/app.example.ini | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index b59c7324304d0..8ae35d286844f 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -926,7 +926,6 @@ LEVEL = Info
 ;USER_DELETE_WITH_COMMENTS_MAX_TIME = 0
 ;; Valid site url schemes for user profiles
 ;VALID_SITE_URL_SCHEMES=http,https
-;;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -945,21 +944,28 @@ LEVEL = Info
 ;;
 ;; Disable the code explore page.
 ;DISABLE_CODE_PAGE = false
-;;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;[qos]
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-;; Enable request quality of service and load shedding.
+;;
+;; Enable request quality of service and overload protection.
 ; ENABLED = false
-;; The number of requests that are in flight to service before queuing
-;; begins. Default is 4 * number of CPUs
+;;
+;; The maximum number of concurrent requests that the server will
+;; process before enqueueing new requests. Default is "CpuNum * 4".
 ; MAX_INFLIGHT =
-;; The maximum number of requests that can be enqueued before they will be dropped.
+;;
+;; The maximum number of requests that can be enqueued before new
+;; requests will be dropped.
 ; MAX_WAITING = 100
-;; The target time for a request to be enqueued before it might be dropped.
+;;
+;; Target maximum wait time a request may be enqueued for. Requests
+;; that are enqueued for less than this amount of time will not be
+;; dropped. When wait times exceed this amount, a portion of requests
+;; will be dropped until wait times have decreased below this amount.
 ; TARGET_WAIT_TIME = 250ms
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1455,7 +1461,6 @@ LEVEL = Info
 ;; or use comma separated list: inline-dollar, inline-parentheses, block-dollar, block-square-brackets
 ;; Defaults to "inline-dollar,block-dollar" to follow GitHub's behavior.
 ;MATH_CODE_BLOCK_DETECTION =
-;;
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;