feat: add Redis based rate limiting for multiple instances
This commit is contained in:
Jonas Kaninda
@@ -30,7 +30,7 @@ func (blockList AccessListMiddleware) AccessMiddleware(next http.Handler) http.H
|
|||||||
for _, block := range blockList.List {
|
for _, block := range blockList.List {
|
||||||
if isPathBlocked(r.URL.Path, util.ParseURLPath(blockList.Path+block)) {
|
if isPathBlocked(r.URL.Path, util.ParseURLPath(blockList.Path+block)) {
|
||||||
logger.Error("%s: %s access forbidden", getRealIP(r), r.URL.Path)
|
logger.Error("%s: %s access forbidden", getRealIP(r), r.URL.Path)
|
||||||
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d you do not have permission to access this resource", http.StatusForbidden), blockList.ErrorInterceptor)
|
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d you do not have permission to access this resource"))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -54,7 +54,7 @@ func isPathBlocked(requestPath, blockedPath string) bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewRateLimiter creates a new rate limiter with the specified refill rate and token capacity
|
// NewRateLimiter creates a new requests limiter with the specified refill requests and token capacity
|
||||||
func NewRateLimiter(maxTokens int, refillRate time.Duration) *TokenRateLimiter {
|
func NewRateLimiter(maxTokens int, refillRate time.Duration) *TokenRateLimiter {
|
||||||
return &TokenRateLimiter{
|
return &TokenRateLimiter{
|
||||||
tokens: maxTokens,
|
tokens: maxTokens,
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ func (blockCommon BlockCommon) BlockExploitsMiddleware(next http.Handler) http.H
|
|||||||
pathTraversalPattern.MatchString(r.URL.Path) ||
|
pathTraversalPattern.MatchString(r.URL.Path) ||
|
||||||
xssPattern.MatchString(r.URL.RawQuery) {
|
xssPattern.MatchString(r.URL.RawQuery) {
|
||||||
logger.Error("%s: %s Forbidden - Potential exploit detected", getRealIP(r), r.URL.Path)
|
logger.Error("%s: %s Forbidden - Potential exploit detected", getRealIP(r), r.URL.Path)
|
||||||
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d Forbidden - Potential exploit detected", http.StatusForbidden), blockCommon.ErrorInterceptor)
|
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d Forbidden - Potential exploit detected", http.StatusForbidden))
|
||||||
return
|
return
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -57,7 +57,7 @@ func (blockCommon BlockCommon) BlockExploitsMiddleware(next http.Handler) http.H
|
|||||||
for _, value := range values {
|
for _, value := range values {
|
||||||
if sqlInjectionPattern.MatchString(value) || xssPattern.MatchString(value) {
|
if sqlInjectionPattern.MatchString(value) || xssPattern.MatchString(value) {
|
||||||
logger.Error("%s: %s %s Forbidden - Potential exploit detected", getRealIP(r), r.Method, r.URL.Path)
|
logger.Error("%s: %s %s Forbidden - Potential exploit detected", getRealIP(r), r.Method, r.URL.Path)
|
||||||
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d Forbidden - Potential exploit detected", http.StatusForbidden), blockCommon.ErrorInterceptor)
|
RespondWithError(w, http.StatusForbidden, fmt.Sprintf("%d Forbidden - Potential exploit detected", http.StatusForbidden))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -18,7 +18,6 @@ package middleware
|
|||||||
*/
|
*/
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"encoding/json"
|
|
||||||
"github.com/jkaninda/goma-gateway/pkg/logger"
|
"github.com/jkaninda/goma-gateway/pkg/logger"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
@@ -49,20 +48,11 @@ func (intercept InterceptErrors) ErrorInterceptor(next http.Handler) http.Handle
|
|||||||
if canIntercept(rec.statusCode, intercept.Errors) {
|
if canIntercept(rec.statusCode, intercept.Errors) {
|
||||||
logger.Debug("Backend error")
|
logger.Debug("Backend error")
|
||||||
logger.Error("An error occurred from the backend with the status code: %d", rec.statusCode)
|
logger.Error("An error occurred from the backend with the status code: %d", rec.statusCode)
|
||||||
w.Header().Set("Content-Type", "application/json")
|
|
||||||
//Update Origin Cors Headers
|
//Update Origin Cors Headers
|
||||||
if allowedOrigin(intercept.Origins, r.Header.Get("Origin")) {
|
if allowedOrigin(intercept.Origins, r.Header.Get("Origin")) {
|
||||||
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
||||||
}
|
}
|
||||||
w.WriteHeader(rec.statusCode)
|
RespondWithError(w, rec.statusCode, http.StatusText(rec.statusCode))
|
||||||
err := json.NewEncoder(w).Encode(ProxyResponseError{
|
|
||||||
Success: false,
|
|
||||||
Code: rec.statusCode,
|
|
||||||
Message: http.StatusText(rec.statusCode),
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
return
|
return
|
||||||
} else {
|
} else {
|
||||||
// No error: write buffered response to client
|
// No error: write buffered response to client
|
||||||
|
|||||||
@@ -60,14 +60,14 @@ func errMessage(code int, errors []errorinterceptor.Error) (string, error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// RespondWithError is a helper function to handle error responses with flexible content type
|
// RespondWithError is a helper function to handle error responses with flexible content type
|
||||||
func RespondWithError(w http.ResponseWriter, statusCode int, logMessage string, errorIntercept errorinterceptor.ErrorInterceptor) {
|
func RespondWithError(w http.ResponseWriter, statusCode int, logMessage string) {
|
||||||
message, err := errMessage(statusCode, errorIntercept.Errors)
|
message := http.StatusText(statusCode)
|
||||||
if err != nil {
|
if len(logMessage) != 0 {
|
||||||
message = logMessage
|
message = logMessage
|
||||||
}
|
}
|
||||||
w.Header().Set("Content-Type", "application/json")
|
w.Header().Set("Content-Type", "application/json")
|
||||||
w.WriteHeader(statusCode)
|
w.WriteHeader(statusCode)
|
||||||
err = json.NewEncoder(w).Encode(ProxyResponseError{
|
err := json.NewEncoder(w).Encode(ProxyResponseError{
|
||||||
Success: false,
|
Success: false,
|
||||||
Code: statusCode,
|
Code: statusCode,
|
||||||
Message: message,
|
Message: message,
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ func (jwtAuth JwtAuth) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
if allowedOrigin(jwtAuth.Origins, r.Header.Get("Origin")) {
|
if allowedOrigin(jwtAuth.Origins, r.Header.Get("Origin")) {
|
||||||
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
||||||
}
|
}
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), jwtAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
return
|
return
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -46,14 +46,14 @@ func (jwtAuth JwtAuth) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
authURL, err := url.Parse(jwtAuth.AuthURL)
|
authURL, err := url.Parse(jwtAuth.AuthURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error("Error parsing auth URL: %v", err)
|
logger.Error("Error parsing auth URL: %v", err)
|
||||||
RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError), jwtAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// Create a new request for /authentication
|
// Create a new request for /authentication
|
||||||
authReq, err := http.NewRequest("GET", authURL.String(), nil)
|
authReq, err := http.NewRequest("GET", authURL.String(), nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error("Proxy error creating authentication request: %v", err)
|
logger.Error("Proxy error creating authentication request: %v", err)
|
||||||
RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError), jwtAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
logger.Trace("JWT Auth response headers: %v", authReq.Header)
|
logger.Trace("JWT Auth response headers: %v", authReq.Header)
|
||||||
@@ -73,7 +73,7 @@ func (jwtAuth JwtAuth) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
if err != nil || authResp.StatusCode != http.StatusOK {
|
if err != nil || authResp.StatusCode != http.StatusOK {
|
||||||
logger.Debug("%s %s %s %s", r.Method, getRealIP(r), r.URL, r.UserAgent())
|
logger.Debug("%s %s %s %s", r.Method, getRealIP(r), r.URL, r.UserAgent())
|
||||||
logger.Debug("Proxy authentication error")
|
logger.Debug("Proxy authentication error")
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), jwtAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
defer func(Body io.ReadCloser) {
|
defer func(Body io.ReadCloser) {
|
||||||
@@ -111,13 +111,13 @@ func (basicAuth AuthBasic) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
if authHeader == "" {
|
if authHeader == "" {
|
||||||
logger.Debug("Proxy error, missing Authorization header")
|
logger.Debug("Proxy error, missing Authorization header")
|
||||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), basicAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// Check if the Authorization header contains "Basic" scheme
|
// Check if the Authorization header contains "Basic" scheme
|
||||||
if !strings.HasPrefix(authHeader, "Basic ") {
|
if !strings.HasPrefix(authHeader, "Basic ") {
|
||||||
logger.Error("Proxy error, missing Basic Authorization header")
|
logger.Error("Proxy error, missing Basic Authorization header")
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), basicAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -126,7 +126,7 @@ func (basicAuth AuthBasic) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
payload, err := base64.StdEncoding.DecodeString(authHeader[len("Basic "):])
|
payload, err := base64.StdEncoding.DecodeString(authHeader[len("Basic "):])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Debug("Proxy error, missing Basic Authorization header")
|
logger.Debug("Proxy error, missing Basic Authorization header")
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), basicAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -134,7 +134,7 @@ func (basicAuth AuthBasic) AuthMiddleware(next http.Handler) http.Handler {
|
|||||||
pair := strings.SplitN(string(payload), ":", 2)
|
pair := strings.SplitN(string(payload), ":", 2)
|
||||||
if len(pair) != 2 || pair[0] != basicAuth.Username || pair[1] != basicAuth.Password {
|
if len(pair) != 2 || pair[0] != basicAuth.Username || pair[1] != basicAuth.Password {
|
||||||
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||||
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), basicAuth.ErrorInterceptor)
|
RespondWithError(w, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -37,13 +37,13 @@ func (rl *TokenRateLimiter) RateLimitMiddleware() mux.MiddlewareFunc {
|
|||||||
|
|
||||||
// Rate limit exceeded, return a 429 Too Many Requests response
|
// Rate limit exceeded, return a 429 Too Many Requests response
|
||||||
w.WriteHeader(http.StatusTooManyRequests)
|
w.WriteHeader(http.StatusTooManyRequests)
|
||||||
_, err := w.Write([]byte(fmt.Sprintf("%d Too many requests, API rate limit exceeded. Please try again later", http.StatusTooManyRequests)))
|
_, err := w.Write([]byte(fmt.Sprintf("%d Too many requests, API requests limit exceeded. Please try again later", http.StatusTooManyRequests)))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// Proceed to the next handler if rate limit is not exceeded
|
// Proceed to the next handler if requests limit is not exceeded
|
||||||
next.ServeHTTP(w, r)
|
next.ServeHTTP(w, r)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@@ -54,40 +54,39 @@ func (rl *RateLimiter) RateLimitMiddleware() mux.MiddlewareFunc {
|
|||||||
return func(next http.Handler) http.Handler {
|
return func(next http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
clientIP := getRealIP(r)
|
clientIP := getRealIP(r)
|
||||||
logger.Debug("rate limiter: clientID: %s, redisBased: %s", clientIP, rl.RedisBased)
|
clientID := fmt.Sprintf("%d-%s", rl.id, clientIP) // Generate client Id, ID+ route ID
|
||||||
if rl.RedisBased {
|
logger.Debug("requests limiter: clientIP: %s, redisBased: %s", clientIP, rl.redisBased)
|
||||||
err := redisRateLimiter(clientIP, rl.Requests)
|
if rl.redisBased {
|
||||||
|
err := redisRateLimiter(clientID, rl.requests)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error("Redis Rate limiter error: %s", err.Error())
|
logger.Error("Redis Rate limiter error: %s", err.Error())
|
||||||
RespondWithError(w, http.StatusTooManyRequests, fmt.Sprintf("%d Too many requests, API rate limit exceeded. Please try again later", http.StatusTooManyRequests), rl.ErrorInterceptor)
|
logger.Error("Too many requests from IP: %s %s %s", clientIP, r.URL, r.UserAgent())
|
||||||
|
RespondWithError(w, http.StatusTooManyRequests, fmt.Sprintf("%d Too many requests, API requests limit exceeded. Please try again later", http.StatusTooManyRequests))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// Proceed to the next handler if rate limit is not exceeded
|
|
||||||
next.ServeHTTP(w, r)
|
|
||||||
} else {
|
} else {
|
||||||
rl.mu.Lock()
|
rl.mu.Lock()
|
||||||
client, exists := rl.ClientMap[clientIP]
|
client, exists := rl.clientMap[clientID]
|
||||||
if !exists || time.Now().After(client.ExpiresAt) {
|
if !exists || time.Now().After(client.ExpiresAt) {
|
||||||
client = &Client{
|
client = &Client{
|
||||||
RequestCount: 0,
|
RequestCount: 0,
|
||||||
ExpiresAt: time.Now().Add(rl.Window),
|
ExpiresAt: time.Now().Add(rl.window),
|
||||||
}
|
}
|
||||||
rl.ClientMap[clientIP] = client
|
rl.clientMap[clientID] = client
|
||||||
}
|
}
|
||||||
client.RequestCount++
|
client.RequestCount++
|
||||||
rl.mu.Unlock()
|
rl.mu.Unlock()
|
||||||
|
|
||||||
if client.RequestCount > rl.Requests {
|
if client.RequestCount > rl.requests {
|
||||||
logger.Error("Too many requests from IP: %s %s %s", clientIP, r.URL, r.UserAgent())
|
logger.Error("Too many requests from IP: %s %s %s", clientIP, r.URL, r.UserAgent())
|
||||||
//Update Origin Cors Headers
|
//Update Origin Cors Headers
|
||||||
if allowedOrigin(rl.Origins, r.Header.Get("Origin")) {
|
if allowedOrigin(rl.origins, r.Header.Get("Origin")) {
|
||||||
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
||||||
}
|
}
|
||||||
RespondWithError(w, http.StatusTooManyRequests, fmt.Sprintf("%d Too many requests, API rate limit exceeded. Please try again later", http.StatusTooManyRequests), rl.ErrorInterceptor)
|
RespondWithError(w, http.StatusTooManyRequests, fmt.Sprintf("%d Too many requests, API requests limit exceeded. Please try again later", http.StatusTooManyRequests))
|
||||||
return
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// Proceed to the next handler if rate limit is not exceeded
|
// Proceed to the next handler if requests limit is not exceeded
|
||||||
next.ServeHTTP(w, r)
|
next.ServeHTTP(w, r)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
@@ -100,7 +99,7 @@ func redisRateLimiter(clientIP string, rate int) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if res.Remaining == 0 {
|
if res.Remaining == 0 {
|
||||||
return errors.New("rate limit exceeded")
|
return errors.New("requests limit exceeded")
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
@@ -1,58 +0,0 @@
|
|||||||
package middleware
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Copyright 2024 Jonas Kaninda
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
import (
|
|
||||||
"github.com/jkaninda/goma-gateway/pkg/errorinterceptor"
|
|
||||||
"github.com/jkaninda/goma-gateway/pkg/logger"
|
|
||||||
"io"
|
|
||||||
"net/http"
|
|
||||||
)
|
|
||||||
|
|
||||||
// RouteErrorInterceptor contains backend status code errors to intercept
|
|
||||||
type RouteErrorInterceptor struct {
|
|
||||||
Origins []string
|
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
|
||||||
|
|
||||||
// RouteErrorInterceptor Middleware intercepts backend route errors
|
|
||||||
func (intercept RouteErrorInterceptor) RouteErrorInterceptor(next http.Handler) http.Handler {
|
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
||||||
rec := newResponseRecorder(w)
|
|
||||||
next.ServeHTTP(rec, r)
|
|
||||||
if canInterceptError(rec.statusCode, intercept.ErrorInterceptor.Errors) {
|
|
||||||
logger.Debug("Backend error")
|
|
||||||
logger.Error("An error occurred from the backend with the status code: %d", rec.statusCode)
|
|
||||||
//Update Origin Cors Headers
|
|
||||||
if allowedOrigin(intercept.Origins, r.Header.Get("Origin")) {
|
|
||||||
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
||||||
}
|
|
||||||
RespondWithError(w, rec.statusCode, http.StatusText(rec.statusCode), intercept.ErrorInterceptor)
|
|
||||||
return
|
|
||||||
} else {
|
|
||||||
// No error: write buffered response to client
|
|
||||||
w.WriteHeader(rec.statusCode)
|
|
||||||
_, err := io.Copy(w, rec.body)
|
|
||||||
if err != nil {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
return
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
})
|
|
||||||
}
|
|
||||||
@@ -19,21 +19,21 @@ package middleware
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
errorinterceptor "github.com/jkaninda/goma-gateway/pkg/errorinterceptor"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
|
|
||||||
// RateLimiter defines rate limit properties.
|
// RateLimiter defines requests limit properties.
|
||||||
type RateLimiter struct {
|
type RateLimiter struct {
|
||||||
Requests int
|
requests int
|
||||||
Window time.Duration
|
id int
|
||||||
ClientMap map[string]*Client
|
window time.Duration
|
||||||
|
clientMap map[string]*Client
|
||||||
mu sync.Mutex
|
mu sync.Mutex
|
||||||
Origins []string
|
origins []string
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
hosts []string
|
||||||
RedisBased bool
|
redisBased bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Client stores request count and window expiration for each client.
|
// Client stores request count and window expiration for each client.
|
||||||
@@ -41,15 +41,24 @@ type Client struct {
|
|||||||
RequestCount int
|
RequestCount int
|
||||||
ExpiresAt time.Time
|
ExpiresAt time.Time
|
||||||
}
|
}
|
||||||
|
type RateLimit struct {
|
||||||
|
Id int
|
||||||
|
Requests int
|
||||||
|
Window time.Duration
|
||||||
|
Origins []string
|
||||||
|
Hosts []string
|
||||||
|
RedisBased bool
|
||||||
|
}
|
||||||
|
|
||||||
// NewRateLimiterWindow creates a new RateLimiter.
|
// NewRateLimiterWindow creates a new RateLimiter.
|
||||||
func NewRateLimiterWindow(requests int, window time.Duration, redisBased bool, origin []string) *RateLimiter {
|
func (rateLimit RateLimit) NewRateLimiterWindow() *RateLimiter {
|
||||||
return &RateLimiter{
|
return &RateLimiter{
|
||||||
Requests: requests,
|
id: rateLimit.Id,
|
||||||
Window: window,
|
requests: rateLimit.Requests,
|
||||||
ClientMap: make(map[string]*Client),
|
window: rateLimit.Window,
|
||||||
Origins: origin,
|
clientMap: make(map[string]*Client),
|
||||||
RedisBased: redisBased,
|
origins: rateLimit.Origins,
|
||||||
|
redisBased: rateLimit.RedisBased,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -76,7 +85,6 @@ type JwtAuth struct {
|
|||||||
Headers map[string]string
|
Headers map[string]string
|
||||||
Params map[string]string
|
Params map[string]string
|
||||||
Origins []string
|
Origins []string
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthenticationMiddleware Define struct
|
// AuthenticationMiddleware Define struct
|
||||||
@@ -90,7 +98,6 @@ type AccessListMiddleware struct {
|
|||||||
Path string
|
Path string
|
||||||
Destination string
|
Destination string
|
||||||
List []string
|
List []string
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthBasic contains Basic auth configuration
|
// AuthBasic contains Basic auth configuration
|
||||||
@@ -99,7 +106,6 @@ type AuthBasic struct {
|
|||||||
Password string
|
Password string
|
||||||
Headers map[string]string
|
Headers map[string]string
|
||||||
Params map[string]string
|
Params map[string]string
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// InterceptErrors contains backend status code errors to intercept
|
// InterceptErrors contains backend status code errors to intercept
|
||||||
@@ -131,7 +137,6 @@ type Oauth struct {
|
|||||||
Origins []string
|
Origins []string
|
||||||
JWTSecret string
|
JWTSecret string
|
||||||
Provider string
|
Provider string
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
}
|
||||||
type OauthEndpoint struct {
|
type OauthEndpoint struct {
|
||||||
AuthURL string
|
AuthURL string
|
||||||
|
|||||||
@@ -37,7 +37,7 @@ func (proxyRoute ProxyRoute) ProxyHandler() http.HandlerFunc {
|
|||||||
if len(proxyRoute.methods) > 0 {
|
if len(proxyRoute.methods) > 0 {
|
||||||
if !slices.Contains(proxyRoute.methods, r.Method) {
|
if !slices.Contains(proxyRoute.methods, r.Method) {
|
||||||
logger.Error("%s Method is not allowed", r.Method)
|
logger.Error("%s Method is not allowed", r.Method)
|
||||||
middleware.RespondWithError(w, http.StatusMethodNotAllowed, fmt.Sprintf("%d %s method is not allowed", http.StatusMethodNotAllowed, r.Method), proxyRoute.ErrorInterceptor)
|
middleware.RespondWithError(w, http.StatusMethodNotAllowed, fmt.Sprintf("%d %s method is not allowed", http.StatusMethodNotAllowed, r.Method))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -60,7 +60,7 @@ func (proxyRoute ProxyRoute) ProxyHandler() http.HandlerFunc {
|
|||||||
targetURL, err := url.Parse(proxyRoute.destination)
|
targetURL, err := url.Parse(proxyRoute.destination)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error("Error parsing backend URL: %s", err)
|
logger.Error("Error parsing backend URL: %s", err)
|
||||||
middleware.RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError), proxyRoute.ErrorInterceptor)
|
middleware.RespondWithError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
r.Header.Set("X-Forwarded-Host", r.Header.Get("Host"))
|
r.Header.Set("X-Forwarded-Host", r.Header.Get("Host"))
|
||||||
|
|||||||
@@ -66,12 +66,20 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
|
|||||||
r.Use(blockCommon.BlockExploitsMiddleware)
|
r.Use(blockCommon.BlockExploitsMiddleware)
|
||||||
}
|
}
|
||||||
if gateway.RateLimit > 0 {
|
if gateway.RateLimit > 0 {
|
||||||
//rateLimiter := middleware.NewRateLimiter(gateway.RateLimit, time.Minute)
|
|
||||||
limiter := middleware.NewRateLimiterWindow(gateway.RateLimit, time.Minute, redisBased, gateway.Cors.Origins) // requests per minute
|
|
||||||
// Add rate limit middleware to all routes, if defined
|
// Add rate limit middleware to all routes, if defined
|
||||||
|
rateLimit := middleware.RateLimit{
|
||||||
|
Id: 1,
|
||||||
|
Requests: gateway.RateLimit,
|
||||||
|
Window: time.Minute, // requests per minute
|
||||||
|
Origins: gateway.Cors.Origins,
|
||||||
|
Hosts: []string{},
|
||||||
|
RedisBased: redisBased,
|
||||||
|
}
|
||||||
|
limiter := rateLimit.NewRateLimiterWindow()
|
||||||
|
// Add rate limit middleware
|
||||||
r.Use(limiter.RateLimitMiddleware())
|
r.Use(limiter.RateLimitMiddleware())
|
||||||
}
|
}
|
||||||
for _, route := range gateway.Routes {
|
for rIndex, route := range gateway.Routes {
|
||||||
if route.Path != "" {
|
if route.Path != "" {
|
||||||
if route.Destination == "" && len(route.Backends) == 0 {
|
if route.Destination == "" && len(route.Backends) == 0 {
|
||||||
logger.Fatal("Route %s : destination or backends should not be empty", route.Name)
|
logger.Fatal("Route %s : destination or backends should not be empty", route.Name)
|
||||||
@@ -232,9 +240,16 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
|
|||||||
}
|
}
|
||||||
// Apply route rate limit
|
// Apply route rate limit
|
||||||
if route.RateLimit > 0 {
|
if route.RateLimit > 0 {
|
||||||
//rateLimiter := middleware.NewRateLimiter(gateway.RateLimit, time.Minute)
|
rateLimit := middleware.RateLimit{
|
||||||
limiter := middleware.NewRateLimiterWindow(route.RateLimit, time.Minute, redisBased, route.Cors.Origins) // requests per minute
|
Id: rIndex,
|
||||||
// Add rate limit middleware to all routes, if defined
|
Requests: route.RateLimit,
|
||||||
|
Window: time.Minute, // requests per minute
|
||||||
|
Origins: route.Cors.Origins,
|
||||||
|
Hosts: route.Hosts,
|
||||||
|
RedisBased: redisBased,
|
||||||
|
}
|
||||||
|
limiter := rateLimit.NewRateLimiterWindow()
|
||||||
|
// Add rate limit middleware
|
||||||
router.Use(limiter.RateLimitMiddleware())
|
router.Use(limiter.RateLimitMiddleware())
|
||||||
}
|
}
|
||||||
// Apply route Cors
|
// Apply route Cors
|
||||||
@@ -255,11 +270,10 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
|
|||||||
router.Use(pr.prometheusMiddleware)
|
router.Use(pr.prometheusMiddleware)
|
||||||
}
|
}
|
||||||
// Apply route Error interceptor middleware
|
// Apply route Error interceptor middleware
|
||||||
interceptErrors := middleware.RouteErrorInterceptor{
|
interceptErrors := middleware.InterceptErrors{
|
||||||
Origins: gateway.Cors.Origins,
|
Origins: gateway.Cors.Origins,
|
||||||
ErrorInterceptor: route.ErrorInterceptor,
|
|
||||||
}
|
}
|
||||||
r.Use(interceptErrors.RouteErrorInterceptor)
|
router.Use(interceptErrors.ErrorInterceptor)
|
||||||
} else {
|
} else {
|
||||||
logger.Error("Error, path is empty in route %s", route.Name)
|
logger.Error("Error, path is empty in route %s", route.Name)
|
||||||
logger.Error("Route path ignored: %s", route.Path)
|
logger.Error("Route path ignored: %s", route.Path)
|
||||||
|
|||||||
@@ -246,7 +246,6 @@ type ProxyRoute struct {
|
|||||||
methods []string
|
methods []string
|
||||||
cors Cors
|
cors Cors
|
||||||
disableHostFording bool
|
disableHostFording bool
|
||||||
ErrorInterceptor errorinterceptor.ErrorInterceptor
|
|
||||||
}
|
}
|
||||||
type RoutePath struct {
|
type RoutePath struct {
|
||||||
route Route
|
route Route
|
||||||
|
|||||||
Reference in New Issue
Block a user