diff options
| author | Jaime Martinez <jmartinez@gitlab.com> | 2021-09-22 09:38:25 +0300 |
|---|---|---|
| committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-10-14 08:59:51 +0300 |
| commit | ccfdff303646b86daed2bd9ae7e2f2a5eb4a2c5c (patch) | |
| tree | 81bc3444ad0417cd4454077fd187323a292bfc93 /metrics | |
| parent | 247bd7ba2fd9139711218c6a42ed03c551f958d9 (diff) | |
feat: add source IP ratelimiter middleware
It gets the source IP from `r.RemoteAddr` or from the `X-Forwarded-For`
header for proxied requests (when `--listen-proxy` is enabled).
The first iteration will only report logs and metrics when an IP is
being rate limited.
The rate limiter uses a Token Bucket approach using
golang.org/x/time/rate, which can be configured with the newly added
flags `rate-limit-source-ip` and `rate-limit-source-ip-burst`.
To enable the rate limiter, set `rate-limit-source-ip` to value > 1,
which is the number of requests per second to allow. It is enabled by
default in "dry-run" mode so requests won't be dropped until the
environment variable
`FF_ENABLE_RATE_LIMITER` is set to `"true"`.
See metrics.go for the newly added metrics.
Changelog: added
Diffstat (limited to 'metrics')
| -rw-r--r-- | metrics/metrics.go | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/metrics/metrics.go b/metrics/metrics.go index b4ac9415..23962dc4 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -184,6 +184,34 @@ var ( Help: "The number of backlogged connections waiting on concurrency limit.", }, ) + + // RateLimitSourceIPCacheRequests is the number of cache hits/misses + RateLimitSourceIPCacheRequests = prometheus.NewCounterVec( + prometheus.CounterOpts{ + Name: "gitlab_pages_rate_limit_source_ip_cache_requests", + Help: "The number of source_ip cache hits/misses in the rate limiter", + }, + []string{"op", "cache"}, + ) + + // RateLimitSourceIPCachedEntries is the number of entries in the cache + RateLimitSourceIPCachedEntries = prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Name: "gitlab_pages_rate_limit_source_ip_cached_entries", + Help: "The number of entries in the cache", + }, + []string{"op"}, + ) + + // RateLimitSourceIPBlockedCount is the number of source IPs that have been blocked by the + // source IP rate limiter + RateLimitSourceIPBlockedCount = prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Name: "gitlab_pages_rate_limit_source_ip_blocked_count", + Help: "The number of source IP addresses that have been blocked by the rate limiter", + }, + []string{"enforced"}, + ) ) // MustRegister collectors with the Prometheus client @@ -211,5 +239,8 @@ func MustRegister() { LimitListenerMaxConns, LimitListenerConcurrentConns, LimitListenerWaitingConns, + RateLimitSourceIPCacheRequests, + RateLimitSourceIPCachedEntries, + RateLimitSourceIPBlockedCount, ) } |