From ccfdff303646b86daed2bd9ae7e2f2a5eb4a2c5c Mon Sep 17 00:00:00 2001 From: Jaime Martinez Date: Wed, 22 Sep 2021 16:38:25 +1000 Subject: feat: add source IP ratelimiter middleware It gets the source IP from `r.RemoteAddr` or from the `X-Forwarded-For` header for proxied requests (when `--listen-proxy` is enabled). The first iteration will only report logs and metrics when an IP is being rate limited. The rate limiter uses a Token Bucket approach using golang.org/x/time/rate, which can be configured with the newly added flags `rate-limit-source-ip` and `rate-limit-source-ip-burst`. To enable the rate limiter, set `rate-limit-source-ip` to value > 1, which is the number of requests per second to allow. It is enabled by default in "dry-run" mode so requests won't be dropped until the environment variable `FF_ENABLE_RATE_LIMITER` is set to `"true"`. See metrics.go for the newly added metrics. Changelog: added --- metrics/metrics.go | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) (limited to 'metrics') diff --git a/metrics/metrics.go b/metrics/metrics.go index b4ac9415..23962dc4 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -184,6 +184,34 @@ var ( Help: "The number of backlogged connections waiting on concurrency limit.", }, ) + + // RateLimitSourceIPCacheRequests is the number of cache hits/misses + RateLimitSourceIPCacheRequests = prometheus.NewCounterVec( + prometheus.CounterOpts{ + Name: "gitlab_pages_rate_limit_source_ip_cache_requests", + Help: "The number of source_ip cache hits/misses in the rate limiter", + }, + []string{"op", "cache"}, + ) + + // RateLimitSourceIPCachedEntries is the number of entries in the cache + RateLimitSourceIPCachedEntries = prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Name: "gitlab_pages_rate_limit_source_ip_cached_entries", + Help: "The number of entries in the cache", + }, + []string{"op"}, + ) + + // RateLimitSourceIPBlockedCount is the number of source IPs that have been blocked by the + // source IP rate limiter + RateLimitSourceIPBlockedCount = prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Name: "gitlab_pages_rate_limit_source_ip_blocked_count", + Help: "The number of source IP addresses that have been blocked by the rate limiter", + }, + []string{"enforced"}, + ) ) // MustRegister collectors with the Prometheus client @@ -211,5 +239,8 @@ func MustRegister() { LimitListenerMaxConns, LimitListenerConcurrentConns, LimitListenerWaitingConns, + RateLimitSourceIPCacheRequests, + RateLimitSourceIPCachedEntries, + RateLimitSourceIPBlockedCount, ) } -- cgit v1.2.3