1
0
Fork 0

Refactor rate limiting to have soft and hard limits, block clients exceeding hard limits for one hour.

This commit is contained in:
Solderpunk 2023-03-18 16:40:23 +01:00
parent 3c5835f033
commit efde852c54
4 changed files with 47 additions and 13 deletions

View file

@ -24,7 +24,8 @@ type SysConfig struct {
AllowTLS12 bool
RateLimitEnable bool
RateLimitAverage int
RateLimitBurst int
RateLimitSoft int
RateLimitHard int
}
type UserConfig struct {
@ -61,7 +62,8 @@ func getConfig(filename string) (SysConfig, UserConfig, error) {
sysConfig.AllowTLS12 = true
sysConfig.RateLimitEnable = false
sysConfig.RateLimitAverage = 1
sysConfig.RateLimitBurst = 10
sysConfig.RateLimitSoft = 10
sysConfig.RateLimitHard = 50
userConfig.GeminiExt = "gmi"
userConfig.DefaultLang = ""

View file

@ -53,9 +53,13 @@ func handleGeminiRequest(conn net.Conn, sysConfig SysConfig, config UserConfig,
if sysConfig.RateLimitEnable {
noPort := logEntry.RemoteAddr.String()
noPort = noPort[0:strings.LastIndex(noPort, ":")]
drips, allowed := rl.Allowed(noPort)
if !allowed {
conn.Write([]byte("44 " + strconv.Itoa(drips) + " second cool down, please!\r\n"))
limited := rl.hardLimited(noPort)
if limited {
conn.Close()
}
delay, limited := rl.softLimited(noPort)
if limited {
conn.Write([]byte("44 " + strconv.Itoa(delay) + " second cool down, please!\r\n"))
logEntry.Status = 44
return
}

View file

@ -140,7 +140,9 @@ func launch(sysConfig SysConfig, userConfig UserConfig, privInfo userInfo) int {
go func() {
for {
entry := <-accessLogEntries
writeLogEntry(accessLogFile, entry)
if entry.Status != 0 {
writeLogEntry(accessLogFile, entry)
}
}
}()
}
@ -159,7 +161,7 @@ func launch(sysConfig SysConfig, userConfig UserConfig, privInfo userInfo) int {
// Infinite serve loop (SIGTERM breaks out)
running := true
var wg sync.WaitGroup
rl := newRateLimiter(sysConfig.RateLimitAverage, sysConfig.RateLimitBurst)
rl := newRateLimiter(sysConfig.RateLimitAverage, sysConfig.RateLimitSoft, sysConfig.RateLimitHard)
for running {
conn, err := listener.Accept()
if err == nil {

View file

@ -1,6 +1,7 @@
package main
import (
"log"
"sync"
"time"
)
@ -8,19 +9,25 @@ import (
type RateLimiter struct {
mu sync.Mutex
bucket map[string]int
bans map[string]time.Time
rate int
burst int
softLimit int
hardLimit int
}
func newRateLimiter(rate int, burst int) RateLimiter {
func newRateLimiter(rate int, softLimit int, hardLimit int) RateLimiter {
var rl = new(RateLimiter)
rl.bucket = make(map[string]int)
rl.bans = make(map[string]time.Time)
rl.rate = rate
rl.burst = burst
rl.softLimit = softLimit
rl.hardLimit = hardLimit
// Leak periodically
go func () {
for(true) {
rl.mu.Lock()
// Leak the buckets
for addr, drips := range rl.bucket {
if drips <= rate {
delete(rl.bucket, addr)
@ -28,6 +35,15 @@ func newRateLimiter(rate int, burst int) RateLimiter {
rl.bucket[addr] = drips - rl.rate
}
}
// Expire bans
now := time.Now()
for addr, expiry := range rl.bans {
if now.After(expiry) {
delete(rl.bans, addr)
}
}
// Wait
rl.mu.Unlock()
time.Sleep(time.Second)
}
@ -35,16 +51,26 @@ func newRateLimiter(rate int, burst int) RateLimiter {
return *rl
}
func (rl *RateLimiter) Allowed(addr string) (int, bool) {
func (rl *RateLimiter) softLimited(addr string) (int, bool) {
rl.mu.Lock()
defer rl.mu.Unlock()
drips, present := rl.bucket[addr]
if !present {
rl.bucket[addr] = 1
return 1, true
return 1, false
}
drips += 1
rl.bucket[addr] = drips
return drips, drips < rl.burst
if drips > rl.hardLimit {
now := time.Now()
expiry := now.Add(time.Hour)
rl.bans[addr] = expiry
log.Println("Banning " + addr + "for 1 hour due to ignoring rate limiting.")
}
return drips, drips > rl.softLimit
}
func (rl *RateLimiter) hardLimited(addr string) bool {
_, present := rl.bans[addr]
return present
}