blob: fbf956a5123a2dd500687d76c64e22fd2a65db47 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
package ratelimiter
import (
"crypto/tls"
"errors"
"github.com/sirupsen/logrus"
"gitlab.com/gitlab-org/labkit/log"
)
var ErrTLSRateLimited = errors.New("too many connections, please retry later")
type GetCertificateFunc func(*tls.ClientHelloInfo) (*tls.Certificate, error)
func (rl *RateLimiter) GetCertificateMiddleware(getCertificate GetCertificateFunc) GetCertificateFunc {
if rl.limitPerSecond <= 0.0 {
return getCertificate
}
return func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
if rl.allowed(rl.tlsKeyFunc(info)) {
return getCertificate(info)
}
rl.logRateLimitedTLS(info)
if rl.blockedCount != nil {
rl.blockedCount.WithLabelValues(rl.name).Inc()
}
return nil, ErrTLSRateLimited
}
}
func (rl *RateLimiter) logRateLimitedTLS(info *tls.ClientHelloInfo) {
log.WithFields(logrus.Fields{
"rate_limiter_name": rl.name,
"source_ip": TLSClientIPKey(info),
"req_host": info.ServerName,
"rate_limiter_limit_per_second": rl.limitPerSecond,
"rate_limiter_burst_size": rl.burstSize,
}).Info("TLS connection rate-limited")
}
|