-
Notifications
You must be signed in to change notification settings - Fork 15
/
ratelimit.go
155 lines (129 loc) · 3.65 KB
/
ratelimit.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package ratelimit
import (
"net/http"
"strconv"
"strings"
"time"
"github.com/caddyserver/caddy/caddyhttp/httpserver"
)
// RateLimit is an http.Handler that can limit request rate to specific paths or files
type RateLimit struct {
Next httpserver.Handler
Rules []Rule
}
// Rule is a configuration for ratelimit
type Rule struct {
Methods string
Rate int64
Burst int
Unit string
Whitelist []string
LimitByHeader string
Status string
Resources []string
}
const (
ignoreSymbol = "^"
)
var (
caddyLimiter *CaddyLimiter
)
func init() {
caddyLimiter = NewCaddyLimiter()
}
// ServeHTTP is the method handling every request
func (rl RateLimit) ServeHTTP(w http.ResponseWriter, r *http.Request) (nextResponseStatus int, err error) {
retryAfter := time.Duration(0)
limitedKey := ""
// get request ip address
ipAddress, err := GetRemoteIP(r)
if err != nil {
return http.StatusInternalServerError, err
}
if len(limitedHeader) == 0 {
limitedKey = ipAddress
} else {
limitedKey = r.Header.Get(limitedHeader)
}
for _, rule := range rl.Rules {
for _, res := range rule.Resources {
// handle `ignore`
if strings.HasPrefix(res, ignoreSymbol) {
res = strings.TrimPrefix(res, ignoreSymbol)
if httpserver.Path(r.URL.Path).Matches(res) {
return rl.Next.ServeHTTP(w, r)
}
}
// handle path mismatch
if !httpserver.Path(r.URL.Path).Matches(res) {
continue
}
// handle whitelist ip & method mismatch
if IsWhitelistIPAddress(ipAddress, whitelistIPNets) || !MatchMethod(rule.Methods, r.Method) {
continue
}
/*
check if this ip has already exceeded quota
if so, reject all the subsequent requests
note: this won't block resources outside of the plugin's config
*/
sliceKeysOnlyWithKey := buildKeysOnlyWithLimitedKey(limitedKey)
for _, keys := range sliceKeysOnlyWithKey {
keysJoined := strings.Join(keys, "|")
if found := caddyLimiter.CheckKeyExists(keysJoined); found {
ret := caddyLimiter.Allow(keys, rule)
if !ret {
retryAfter = caddyLimiter.RetryAfter(keys)
w.Header().Add("X-RateLimit-RetryAfter", retryAfter.String())
return http.StatusTooManyRequests, err
}
}
}
// check limit
if len(rule.Status) == 0 || rule.Status == "*" {
sliceKeys := buildKeys(limitedKey, rule.Methods, rule.Status, res)
for _, keys := range sliceKeys {
ret := caddyLimiter.Allow(keys, rule)
if !ret {
retryAfter = caddyLimiter.RetryAfter(keys)
w.Header().Add("X-RateLimit-RetryAfter", retryAfter.String())
return http.StatusTooManyRequests, err
}
}
}
}
}
/*
special case for limiting by response status code
*/
nextResponseStatus, err = rl.Next.ServeHTTP(w, r)
for _, rule := range rl.Rules {
// handle response status code mismatch
if len(rule.Status) == 0 || rule.Status == "*" || !MatchStatus(rule.Status, strconv.Itoa(nextResponseStatus)) {
continue
}
for _, res := range rule.Resources {
// handle `ignore`
if strings.HasPrefix(res, ignoreSymbol) {
res = strings.TrimPrefix(res, ignoreSymbol)
if httpserver.Path(r.URL.Path).Matches(res) {
return nextResponseStatus, err
}
}
// handle path mismatch
if !httpserver.Path(r.URL.Path).Matches(res) {
continue
}
// handle whitelist ip & method mismatch
if IsWhitelistIPAddress(ipAddress, whitelistIPNets) || !MatchMethod(rule.Methods, r.Method) {
continue
}
sliceKeys := buildKeysOnlyWithLimitedKey(limitedKey)
for _, keys := range sliceKeys {
// consume one token if status code matches
caddyLimiter.Allow(keys, rule)
}
}
}
return nextResponseStatus, err
}