diff options
author | Kamil Trzciński <ayufan@ayufan.eu> | 2020-10-20 13:26:29 +0300 |
---|---|---|
committer | Kamil Trzciński <ayufan@ayufan.eu> | 2020-10-20 13:26:29 +0300 |
commit | 7f8e9bd39def730616a4c7d1d5f00ee6ca9ea76a (patch) | |
tree | 455beeb7ac317059afcad0167bcba4a23ea1aec7 /main.go | |
parent | 9cf62c0fc1f31a6e175bb3e8b2321ca19584dee3 (diff) |
Add Host and SNI-based rate limiting
This adds a per-process rate limiting
of the incoming requests and connections.
This assume two:
- Requests generate a pressure on Object Storage
- New TLS connections generate a pressure on CPU
due to TLS handshake (generating and exchanging
asymmetric keys)
Diffstat (limited to 'main.go')
-rw-r--r-- | main.go | 9 |
1 files changed, 9 insertions, 0 deletions
@@ -75,6 +75,11 @@ var ( tlsMinVersion = flag.String("tls-min-version", "tls1.2", tlsconfig.FlagUsage("min")) tlsMaxVersion = flag.String("tls-max-version", "", tlsconfig.FlagUsage("max")) + hostRateLimit = flag.Uint("host-rate-limit", 0, "Set to non-zero value to enable host-based rate limiting. Requests over rate-limit will respond with 429.") + hostRateLimitWindow = flag.Duration("host-rate-limit-window", 10*time.Minute, "Define a host-bassed rate limiting window") + tlsSniRateLimit = flag.Uint("tls-sni-rate-limit", 0, "Set to non-zero value to enable tls-sni-based rate limiting. New connections over that limit will be rejected.") + tlsSniRateLimitWindow = flag.Duration("tls-sni-limit-window", 10*time.Minute, "Define a tls-sni-bassed rate limiting window") + disableCrossOriginRequests = flag.Bool("disable-cross-origin-requests", false, "Disable cross-origin requests") // See init() @@ -175,6 +180,10 @@ func configFromFlags() appConfig { config.TLSMinVersion = tlsconfig.AllTLSVersions[*tlsMinVersion] config.TLSMaxVersion = tlsconfig.AllTLSVersions[*tlsMaxVersion] config.CustomHeaders = header + config.HostRateLimit = *hostRateLimit + config.HostRateLimitWindow = *hostRateLimitWindow + config.TLSSNIRateLimit = *tlsSniRateLimit + config.TLSSNIRateLimitWindow = *tlsSniRateLimitWindow for _, file := range []struct { contents *[]byte |