mirror of
https://github.com/lightninglabs/aperture.git
synced 2026-01-31 15:14:26 +01:00
a3ee1e0d17
Implement a token-bucket rate limiter for aperture that limits requests per service endpoint. The rate limiter uses golang.org/x/time/rate and provides per-key limiting with L402 token ID extraction (falling back to IP address for unauthenticated requests). Key components: - RateLimitConfig: Configuration struct with path regex, requests/per/burst - RateLimiter: Manages per-key rate.Limiter instances with LRU eviction to prevent memory exhaustion (default 10,000 entries) - Prometheus metrics: allowed/denied counters, cache size, evictions This addresses GitHub issue #200 for DoS protection on authenticated endpoints that are free of charge after L402 payment.
53 lines
1.4 KiB
Go
53 lines
1.4 KiB
Go
package proxy
|
|
|
|
import (
|
|
"github.com/prometheus/client_golang/prometheus"
|
|
"github.com/prometheus/client_golang/prometheus/promauto"
|
|
)
|
|
|
|
var (
|
|
// rateLimitAllowed counts requests that passed rate limiting.
|
|
rateLimitAllowed = promauto.NewCounterVec(
|
|
prometheus.CounterOpts{
|
|
Namespace: "aperture",
|
|
Subsystem: "ratelimit",
|
|
Name: "allowed_total",
|
|
Help: "Total number of requests allowed by rate limiter",
|
|
},
|
|
[]string{"service", "path_pattern"},
|
|
)
|
|
|
|
// rateLimitDenied counts requests denied by rate limiting.
|
|
rateLimitDenied = promauto.NewCounterVec(
|
|
prometheus.CounterOpts{
|
|
Namespace: "aperture",
|
|
Subsystem: "ratelimit",
|
|
Name: "denied_total",
|
|
Help: "Total number of requests denied by rate limiter",
|
|
},
|
|
[]string{"service", "path_pattern"},
|
|
)
|
|
|
|
// rateLimitCacheSize tracks the current size of the rate limiter cache.
|
|
rateLimitCacheSize = promauto.NewGaugeVec(
|
|
prometheus.GaugeOpts{
|
|
Namespace: "aperture",
|
|
Subsystem: "ratelimit",
|
|
Name: "cache_size",
|
|
Help: "Current number of entries in the rate limiter cache",
|
|
},
|
|
[]string{"service"},
|
|
)
|
|
|
|
// rateLimitEvictions counts LRU cache evictions.
|
|
rateLimitEvictions = promauto.NewCounterVec(
|
|
prometheus.CounterOpts{
|
|
Namespace: "aperture",
|
|
Subsystem: "ratelimit",
|
|
Name: "evictions_total",
|
|
Help: "Total number of rate limiter cache evictions",
|
|
},
|
|
[]string{"service"},
|
|
)
|
|
)
|