[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151)

* start updating rate limiting, add exceptions

* tests, comments, tidying up

* add rate limiting exceptions to example config

* envparsing

* nolint

* apply kimbediff

* add examples
This commit is contained in:
tobi 2023-08-23 14:32:27 +02:00 committed by GitHub
parent 94d16631bc
commit 8f38dc2e7f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 402 additions and 27 deletions

View file

@ -266,10 +266,11 @@
// create required middleware
// rate limiting
limit := config.GetAdvancedRateLimitRequests()
clLimit := middleware.RateLimit(limit) // client api
s2sLimit := middleware.RateLimit(limit) // server-to-server (AP)
fsLimit := middleware.RateLimit(limit) // fileserver / web templates
rlLimit := config.GetAdvancedRateLimitRequests()
rlExceptions := config.GetAdvancedRateLimitExceptions()
clLimit := middleware.RateLimit(rlLimit, rlExceptions) // client api
s2sLimit := middleware.RateLimit(rlLimit, rlExceptions) // server-to-server (AP)
fsLimit := middleware.RateLimit(rlLimit, rlExceptions) // fileserver / web templates
// throttling
cpuMultiplier := config.GetAdvancedThrottlingMultiplier()

View file

@ -16,7 +16,7 @@ Every response will include the current status of the rate limit with the follow
- `X-Ratelimit-Limit`: maximum number of requests allowed per time period.
- `X-Ratelimit-Remaining`: number of remaining requests that can still be performed within.
- `X-Ratelimit-Reset`: unix timestamp indicating when the rate limit will reset.
- `X-Ratelimit-Reset`: ISO8601 timestamp indicating when the rate limit will reset.
In case the rate limit is exceeded, an [HTTP 429 Too Many Requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429) error is returned to the caller.
@ -35,3 +35,7 @@ If you don't have an HTTP proxy, then it's likely caused by NAT. In this case yo
### Can I configure the rate limit? Can I just turn it off?
Yes! Set `advanced-rate-limit-requests: 0` in the config.
### Can I exclude one or more IP addresses from rate limiting, but leave the rest in place?
Yes! Set `advanced-rate-limit-exceptions` in the config.

View file

@ -52,6 +52,34 @@ advanced-cookies-samesite: "lax"
# Default: 300
advanced-rate-limit-requests: 300
# Array of string. CIDRs to except from rate limit restrictions.
# Any IPs inside the CIDR range(s) will not have rate limiting
# applied on their requests, and rate limit headers will not be
# set for those requests.
#
# This can be useful in the following example cases (and probably
# a bunch of others as well):
#
# 1. You've set up an automated service that uses the API, and
# it keeps getting rate limited, even though you trust it's
# not abusing the instance.
#
# 2. You live with multiple people who use the same instance,
# and you're all using the same router/NAT, so you all have
# the same IP address, and you keep rate limiting each other.
#
# 3. You mostly use your own home internet to access your instance,
# and you want to exempt your home internet from rate limiting.
#
# You should be careful when adjusting this setting, since you
# might inadvertently make rate limiting useless if you set too
# wide a range. If in doubt, be too restrictive rather than too
# lenient, and adjust as you go.
#
# Example: ["192.168.0.0/16"]
# Default: []
advanced-rate-limit-exceptions: []
# Int. Amount of open requests to permit per CPU, per router grouping, before applying http
# request throttling. Any requests beyond the calculated limit are held in a backlog queue for
# up to 30 seconds before either being processed or timing out. Requests that don't fit in the backlog

View file

@ -848,6 +848,34 @@ advanced-cookies-samesite: "lax"
# Default: 300
advanced-rate-limit-requests: 300
# Array of string. CIDRs to except from rate limit restrictions.
# Any IPs inside the CIDR range(s) will not have rate limiting
# applied on their requests, and rate limit headers will not be
# set for those requests.
#
# This can be useful in the following example cases (and probably
# a bunch of others as well):
#
# 1. You've set up an automated service that uses the API, and
# it keeps getting rate limited, even though you trust it's
# not abusing the instance.
#
# 2. You live with multiple people who use the same instance,
# and you're all using the same router/NAT, so you all have
# the same IP address, and you keep rate limiting each other.
#
# 3. You mostly use your own home internet to access your instance,
# and you want to exempt your home internet from rate limiting.
#
# You should be careful when adjusting this setting, since you
# might inadvertently make rate limiting useless if you set too
# wide a range. If in doubt, be too restrictive rather than too
# lenient, and adjust as you go.
#
# Example: ["192.168.0.0/16"]
# Default: []
advanced-rate-limit-exceptions: []
# Int. Amount of open requests to permit per CPU, per router grouping, before applying http
# request throttling. Any requests beyond the calculated limit are held in a backlog queue for
# up to 30 seconds before either being processed or timing out. Requests that don't fit in the backlog

View file

@ -148,6 +148,7 @@ type Configuration struct {
AdvancedCookiesSamesite string `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
AdvancedRateLimitRequests int `name:"advanced-rate-limit-requests" usage:"Amount of HTTP requests to permit within a 5 minute window. 0 or less turns rate limiting off."`
AdvancedRateLimitExceptions []string `name:"advanced-rate-limit-exceptions" usage:"Slice of CIDRs to exclude from rate limit restrictions."`
AdvancedThrottlingMultiplier int `name:"advanced-throttling-multiplier" usage:"Multiplier to use per cpu for http request throttling. 0 or less turns throttling off."`
AdvancedThrottlingRetryAfter time.Duration `name:"advanced-throttling-retry-after" usage:"Retry-After duration response to send for throttled requests."`
AdvancedSenderMultiplier int `name:"advanced-sender-multiplier" usage:"Multiplier to use per cpu for batching outgoing fedi messages. 0 or less turns batching off (not recommended)."`

View file

@ -122,7 +122,8 @@
AdvancedCookiesSamesite: "lax",
AdvancedRateLimitRequests: 300, // 1 per second per 5 minutes
AdvancedThrottlingMultiplier: 8, // 8 open requests per CPU
AdvancedRateLimitExceptions: []string{},
AdvancedThrottlingMultiplier: 8, // 8 open requests per CPU
AdvancedThrottlingRetryAfter: time.Second * 30,
AdvancedSenderMultiplier: 2, // 2 senders per CPU
AdvancedCSPExtraURIs: []string{},

View file

@ -149,6 +149,7 @@ func (s *ConfigState) AddServerFlags(cmd *cobra.Command) {
// Advanced flags
cmd.Flags().String(AdvancedCookiesSamesiteFlag(), cfg.AdvancedCookiesSamesite, fieldtag("AdvancedCookiesSamesite", "usage"))
cmd.Flags().Int(AdvancedRateLimitRequestsFlag(), cfg.AdvancedRateLimitRequests, fieldtag("AdvancedRateLimitRequests", "usage"))
cmd.Flags().StringSlice(AdvancedRateLimitExceptionsFlag(), cfg.AdvancedRateLimitExceptions, fieldtag("AdvancedRateLimitExceptions", "usage"))
cmd.Flags().Int(AdvancedThrottlingMultiplierFlag(), cfg.AdvancedThrottlingMultiplier, fieldtag("AdvancedThrottlingMultiplier", "usage"))
cmd.Flags().Duration(AdvancedThrottlingRetryAfterFlag(), cfg.AdvancedThrottlingRetryAfter, fieldtag("AdvancedThrottlingRetryAfter", "usage"))
cmd.Flags().Int(AdvancedSenderMultiplierFlag(), cfg.AdvancedSenderMultiplier, fieldtag("AdvancedSenderMultiplier", "usage"))

View file

@ -2274,6 +2274,31 @@ func GetAdvancedRateLimitRequests() int { return global.GetAdvancedRateLimitRequ
// SetAdvancedRateLimitRequests safely sets the value for global configuration 'AdvancedRateLimitRequests' field
func SetAdvancedRateLimitRequests(v int) { global.SetAdvancedRateLimitRequests(v) }
// GetAdvancedRateLimitExceptions safely fetches the Configuration value for state's 'AdvancedRateLimitExceptions' field
func (st *ConfigState) GetAdvancedRateLimitExceptions() (v []string) {
st.mutex.RLock()
v = st.config.AdvancedRateLimitExceptions
st.mutex.RUnlock()
return
}
// SetAdvancedRateLimitExceptions safely sets the Configuration value for state's 'AdvancedRateLimitExceptions' field
func (st *ConfigState) SetAdvancedRateLimitExceptions(v []string) {
st.mutex.Lock()
defer st.mutex.Unlock()
st.config.AdvancedRateLimitExceptions = v
st.reloadToViper()
}
// AdvancedRateLimitExceptionsFlag returns the flag name for the 'AdvancedRateLimitExceptions' field
func AdvancedRateLimitExceptionsFlag() string { return "advanced-rate-limit-exceptions" }
// GetAdvancedRateLimitExceptions safely fetches the value for global configuration 'AdvancedRateLimitExceptions' field
func GetAdvancedRateLimitExceptions() []string { return global.GetAdvancedRateLimitExceptions() }
// SetAdvancedRateLimitExceptions safely sets the value for global configuration 'AdvancedRateLimitExceptions' field
func SetAdvancedRateLimitExceptions(v []string) { global.SetAdvancedRateLimitExceptions(v) }
// GetAdvancedThrottlingMultiplier safely fetches the Configuration value for state's 'AdvancedThrottlingMultiplier' field
func (st *ConfigState) GetAdvancedThrottlingMultiplier() (v int) {
st.mutex.RLock()

View file

@ -20,47 +20,136 @@
import (
"net"
"net/http"
"net/netip"
"strconv"
"time"
"github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
"github.com/superseriousbusiness/gotosocial/internal/util"
"github.com/ulule/limiter/v3"
limitergin "github.com/ulule/limiter/v3/drivers/middleware/gin"
"github.com/ulule/limiter/v3/drivers/store/memory"
)
const rateLimitPeriod = 5 * time.Minute
// RateLimit returns a gin middleware that will automatically rate limit caller (by IP address),
// and enrich the response header with the following headers:
// RateLimit returns a gin middleware that will automatically rate
// limit caller (by IP address), and enrich the response header with
// the following headers:
//
// - `x-ratelimit-limit` - maximum number of requests allowed per time period (fixed).
// - `x-ratelimit-remaining` - number of remaining requests that can still be performed.
// - `x-ratelimit-reset` - unix timestamp when the rate limit will reset.
// - `X-Ratelimit-Limit` - max requests allowed per time period (fixed).
// - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
// - `X-Ratelimit-Reset` - ISO8601 timestamp when the rate limit will reset.
//
// If `x-ratelimit-limit` is exceeded, the request is aborted and an HTTP 429 TooManyRequests
// status is returned.
// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
// HTTP 429 TooManyRequests status is returned.
//
// If the config AdvancedRateLimitRequests value is <= 0, then a noop handler will be returned,
// which performs no rate limiting.
func RateLimit(limit int) gin.HandlerFunc {
// If the config AdvancedRateLimitRequests value is <= 0, then a noop
// handler will be returned, which performs no rate limiting.
func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
if limit <= 0 {
// use noop middleware if ratelimiting is disabled
// Rate limiting is disabled.
// Return noop middleware.
return func(ctx *gin.Context) {}
}
limiter := limiter.New(
memory.NewStore(),
limiter.Rate{Period: rateLimitPeriod, Limit: int64(limit)},
limiter.WithIPv6Mask(net.CIDRMask(64, 128)), // apply /64 mask to IPv6 addresses
limiter.Rate{
Period: rateLimitPeriod,
Limit: int64(limit),
},
)
// use custom rate limit reached error
handler := func(c *gin.Context) {
c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{"error": "rate limit reached"})
// Convert exceptions IP ranges into prefixes.
exceptPrefs := make([]netip.Prefix, len(exceptions))
for i, str := range exceptions {
exceptPrefs[i] = netip.MustParsePrefix(str)
}
return limitergin.NewMiddleware(
limiter,
limitergin.WithLimitReachedHandler(handler),
)
// It's prettymuch impossible to effectively
// rate limit the immense IPv6 address space
// unless we mask some of the bytes.
//
// This mask is pretty coarse, and puts IPv6
// blocking on more or less the same footing
// as IPv4 blocking in terms of how likely it
// is to prevent abuse while still allowing
// legit users access to the service.
ipv6Mask := net.CIDRMask(64, 128)
return func(c *gin.Context) {
// Use Gin's heuristic for determining
// clientIP, which accounts for reverse
// proxies and trusted proxies setting.
clientIP := netip.MustParseAddr(c.ClientIP())
// Check if this IP is exempt from rate
// limits and skip further checks if so.
for _, prefix := range exceptPrefs {
if prefix.Contains(clientIP) {
c.Next()
return
}
}
if clientIP.Is6() {
// Convert to "net" package IP for mask.
asIP := net.IP(clientIP.AsSlice())
// Apply coarse IPv6 mask.
asIP = asIP.Mask(ipv6Mask)
// Convert back to netip.Addr from net.IP.
clientIP, _ = netip.AddrFromSlice(asIP)
}
// Fetch rate limit info for this (masked) clientIP.
context, err := limiter.Get(c, clientIP.String())
if err != nil {
// Since we use an in-memory cache now,
// it's actually impossible for this to
// error, but handle it nicely anyway in
// case we switch implementation in future.
errWithCode := gtserror.NewErrorInternalError(err)
// Set error on gin context so it'll
// be picked up by logging middleware.
c.Error(errWithCode) //nolint:errcheck
// Bail with 500.
c.AbortWithStatusJSON(
errWithCode.Code(),
gin.H{"error": errWithCode.Safe()},
)
return
}
// Provide reset in same format used by
// Mastodon. There's no real standard as
// to what format X-RateLimit-Reset SHOULD
// use, but since most clients interacting
// with us will expect the Mastodon version,
// it makes sense to take this.
resetT := time.Unix(context.Reset, 0)
reset := util.FormatISO8601(resetT)
c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))
c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))
c.Header("X-RateLimit-Reset", reset)
if context.Reached {
// Return JSON error message for
// consistency with other endpoints.
c.AbortWithStatusJSON(
http.StatusTooManyRequests,
gin.H{"error": "rate limit reached"},
)
return
}
// Allow the request
// to continue.
c.Next()
}
}

View file

@ -0,0 +1,192 @@
// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
package middleware_test
import (
"net/http"
"net/http/httptest"
"strconv"
"testing"
"time"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/suite"
"github.com/superseriousbusiness/gotosocial/internal/middleware"
"github.com/superseriousbusiness/gotosocial/internal/util"
)
type RateLimitTestSuite struct {
suite.Suite
}
func (suite *RateLimitTestSuite) TestRateLimit() {
// Suppress warnings about debug mode.
gin.SetMode(gin.ReleaseMode)
const (
trustedPlatform = "X-Test-IP"
rlLimit = "X-RateLimit-Limit"
rlRemaining = "X-RateLimit-Remaining"
rlReset = "X-RateLimit-Reset"
)
type rlTest struct {
limit int
exceptions []string
clientIP string
shouldPanic bool
shouldExcept bool
}
for _, test := range []rlTest{
{
limit: 10,
exceptions: []string{},
clientIP: "192.0.2.0",
shouldPanic: false,
shouldExcept: false,
},
{
limit: 10,
exceptions: []string{},
clientIP: "192.0.2.0",
shouldPanic: false,
shouldExcept: false,
},
{
limit: 10,
exceptions: []string{"192.0.2.0/24"},
clientIP: "192.0.2.0",
shouldPanic: false,
shouldExcept: true,
},
{
limit: 10,
exceptions: []string{"192.0.2.0/32"},
clientIP: "192.0.2.1",
shouldPanic: false,
shouldExcept: false,
},
{
limit: 10,
exceptions: []string{"Ceci n'est pas une CIDR"},
clientIP: "192.0.2.0",
shouldPanic: true,
shouldExcept: false,
},
} {
if test.shouldPanic {
// Try to trigger panic.
suite.Panics(func() {
_ = middleware.RateLimit(
test.limit,
test.exceptions,
)
})
continue
}
rlMiddleware := middleware.RateLimit(
test.limit,
test.exceptions,
)
// Approximate time when this limiter will reset.
resetAt := time.Now().Add(5 * time.Minute)
// Make requests up to +
// just over the limit.
limitedAt := test.limit + 1
for requestsCount := 1; requestsCount < limitedAt; requestsCount++ {
var (
recorder = httptest.NewRecorder()
ctx, e = gin.CreateTestContext(recorder)
)
// Instruct engine to derive
// clientIP from test header.
e.TrustedPlatform = trustedPlatform
ctx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
ctx.Request.Header.Add(trustedPlatform, test.clientIP)
// Call the rate limiter.
rlMiddleware(ctx)
// Fetch RL headers if present.
var (
limitStr = recorder.Header().Get(rlLimit)
remainingStr = recorder.Header().Get(rlRemaining)
resetStr = recorder.Header().Get(rlReset)
)
if test.shouldExcept {
// Request should be allowed through,
// no rate-limit headers should be written.
suite.Equal(http.StatusOK, recorder.Code)
suite.Empty(limitStr)
suite.Empty(remainingStr)
suite.Empty(resetStr)
continue
}
suite.Equal(strconv.Itoa(test.limit), limitStr)
suite.Equal(strconv.Itoa(test.limit-requestsCount), remainingStr)
// Ensure reset is ISO8601, and resets at
// approximate reset time (+/- 10 seconds).
reset, err := util.ParseISO8601(resetStr)
if err != nil {
suite.FailNow("", "couldn't parse %s as ISO8601: %q", resetStr, err.Error())
}
suite.WithinDuration(resetAt, reset, 10*time.Second)
if requestsCount < limitedAt {
// Request should be allowed through.
suite.Equal(http.StatusOK, recorder.Code)
continue
}
// Request should be denied.
suite.Equal(http.StatusTooManyRequests, recorder.Code)
// Make a final request with an unrelated IP to
// ensure it's only the one IP being limited.
var (
unrelatedRecorder = httptest.NewRecorder()
unrelatedCtx, unrelatedE = gin.CreateTestContext(unrelatedRecorder)
)
// Instruct engine to derive
// clientIP from test header.
unrelatedE.TrustedPlatform = trustedPlatform
unrelatedCtx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
unrelatedCtx.Request.Header.Add(trustedPlatform, "192.0.2.255")
// Call the rate limiter.
rlMiddleware(unrelatedCtx)
// Request should be allowed through.
suite.Equal(http.StatusOK, unrelatedRecorder.Code)
}
}
}
func TestRateLimitTestSuite(t *testing.T) {
suite.Run(t, new(RateLimitTestSuite))
}

View file

@ -12,6 +12,10 @@ EXPECT=$(cat << "EOF"
"accounts-registration-open": true,
"advanced-cookies-samesite": "strict",
"advanced-csp-extra-uris": [],
"advanced-rate-limit-exceptions": [
"192.0.2.0/24",
"127.0.0.1/32"
],
"advanced-rate-limit-requests": 6969,
"advanced-sender-multiplier": -1,
"advanced-throttling-multiplier": -1,
@ -237,6 +241,7 @@ GTS_SYSLOG_PROTOCOL='udp' \
GTS_SYSLOG_ADDRESS='127.0.0.1:6969' \
GTS_TRACING_ENDPOINT='localhost:4317' \
GTS_ADVANCED_COOKIES_SAMESITE='strict' \
GTS_ADVANCED_RATE_LIMIT_EXCEPTIONS="192.0.2.0/24,127.0.0.1/32" \
GTS_ADVANCED_RATE_LIMIT_REQUESTS=6969 \
GTS_ADVANCED_SENDER_MULTIPLIER=-1 \
GTS_ADVANCED_THROTTLING_MULTIPLIER=-1 \