[feature] Add rate limit exceptions option, use ISO8601 for rate limit reset (#2151)

* start updating rate limiting, add exceptions * tests, comments, tidying up * add rate limiting exceptions to example config * envparsing * nolint * apply kimbediff * add examples
2024-11-22 20:33:10 +00:00 · 2023-08-23 14:32:27 +02:00 · 2023-08-23 14:32:27 +02:00 · 8f38dc2e7f
commit 8f38dc2e7f
parent 94d16631bc
12 changed files with 402 additions and 27 deletions
--- a/cmd/gotosocial/action/server/server.go
+++ b/cmd/gotosocial/action/server/server.go
@ -266,10 +266,11 @@ var Start action.GTSAction = func(ctx context.Context) error {

 	// create required middleware
 	// rate limiting
-	limit := config.GetAdvancedRateLimitRequests()
-	clLimit := middleware.RateLimit(limit)  // client api
-	s2sLimit := middleware.RateLimit(limit) // server-to-server (AP)
-	fsLimit := middleware.RateLimit(limit)  // fileserver / web templates
+	rlLimit := config.GetAdvancedRateLimitRequests()
+	rlExceptions := config.GetAdvancedRateLimitExceptions()
+	clLimit := middleware.RateLimit(rlLimit, rlExceptions)  // client api
+	s2sLimit := middleware.RateLimit(rlLimit, rlExceptions) // server-to-server (AP)
+	fsLimit := middleware.RateLimit(rlLimit, rlExceptions)  // fileserver / web templates

 	// throttling
 	cpuMultiplier := config.GetAdvancedThrottlingMultiplier()
--- a/docs/api/ratelimiting.md
+++ b/docs/api/ratelimiting.md
@ -16,7 +16,7 @@ Every response will include the current status of the rate limit with the follow

 - `X-Ratelimit-Limit`: maximum number of requests allowed per time period.
 - `X-Ratelimit-Remaining`: number of remaining requests that can still be performed within.
- `X-Ratelimit-Reset`: unix timestamp indicating when the rate limit will reset.
+- `X-Ratelimit-Reset`: ISO8601 timestamp indicating when the rate limit will reset.

 In case the rate limit is exceeded, an [HTTP 429 Too Many Requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429) error is returned to the caller.

@ -35,3 +35,7 @@ If you don't have an HTTP proxy, then it's likely caused by NAT. In this case yo
 ### Can I configure the rate limit? Can I just turn it off?

 Yes! Set `advanced-rate-limit-requests: 0` in the config.
+
+### Can I exclude one or more IP addresses from rate limiting, but leave the rest in place?
+
+Yes! Set `advanced-rate-limit-exceptions` in the config.
--- a/docs/configuration/advanced.md
+++ b/docs/configuration/advanced.md
@ -52,6 +52,34 @@ advanced-cookies-samesite: "lax"
 # Default: 300
 advanced-rate-limit-requests: 300

+# Array of string. CIDRs to except from rate limit restrictions.
+# Any IPs inside the CIDR range(s) will not have rate limiting
+# applied on their requests, and rate limit headers will not be
+# set for those requests.
+#
+# This can be useful in the following example cases (and probably
+# a bunch of others as well):
+#
+# 1. You've set up an automated service that uses the API, and
+#    it keeps getting rate limited, even though you trust it's
+#    not abusing the instance.
+#
+# 2. You live with multiple people who use the same instance,
+#    and you're all using the same router/NAT, so you all have
+#    the same IP address, and you keep rate limiting each other.
+#
+# 3. You mostly use your own home internet to access your instance,
+#    and you want to exempt your home internet from rate limiting.
+#
+# You should be careful when adjusting this setting, since you
+# might inadvertently make rate limiting useless if you set too
+# wide a range. If in doubt, be too restrictive rather than too
+# lenient, and adjust as you go.
+#
+# Example: ["192.168.0.0/16"]
+# Default: []
+advanced-rate-limit-exceptions: []
+
 # Int. Amount of open requests to permit per CPU, per router grouping, before applying http
 # request throttling. Any requests beyond the calculated limit are held in a backlog queue for
 # up to 30 seconds before either being processed or timing out. Requests that don't fit in the backlog
--- a/example/config.yaml
+++ b/example/config.yaml
@ -848,6 +848,34 @@ advanced-cookies-samesite: "lax"
 # Default: 300
 advanced-rate-limit-requests: 300

+# Array of string. CIDRs to except from rate limit restrictions.
+# Any IPs inside the CIDR range(s) will not have rate limiting
+# applied on their requests, and rate limit headers will not be
+# set for those requests.
+#
+# This can be useful in the following example cases (and probably
+# a bunch of others as well):
+#
+# 1. You've set up an automated service that uses the API, and
+#    it keeps getting rate limited, even though you trust it's
+#    not abusing the instance.
+#
+# 2. You live with multiple people who use the same instance,
+#    and you're all using the same router/NAT, so you all have
+#    the same IP address, and you keep rate limiting each other.
+#
+# 3. You mostly use your own home internet to access your instance,
+#    and you want to exempt your home internet from rate limiting.
+#
+# You should be careful when adjusting this setting, since you
+# might inadvertently make rate limiting useless if you set too
+# wide a range. If in doubt, be too restrictive rather than too
+# lenient, and adjust as you go.
+#
+# Example: ["192.168.0.0/16"]
+# Default: []
+advanced-rate-limit-exceptions: []
+
 # Int. Amount of open requests to permit per CPU, per router grouping, before applying http
 # request throttling. Any requests beyond the calculated limit are held in a backlog queue for
 # up to 30 seconds before either being processed or timing out. Requests that don't fit in the backlog
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -148,6 +148,7 @@ type Configuration struct {

 	AdvancedCookiesSamesite      string        `name:"advanced-cookies-samesite" usage:"'strict' or 'lax', see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite"`
 	AdvancedRateLimitRequests    int           `name:"advanced-rate-limit-requests" usage:"Amount of HTTP requests to permit within a 5 minute window. 0 or less turns rate limiting off."`
+	AdvancedRateLimitExceptions  []string      `name:"advanced-rate-limit-exceptions" usage:"Slice of CIDRs to exclude from rate limit restrictions."`
 	AdvancedThrottlingMultiplier int           `name:"advanced-throttling-multiplier" usage:"Multiplier to use per cpu for http request throttling. 0 or less turns throttling off."`
 	AdvancedThrottlingRetryAfter time.Duration `name:"advanced-throttling-retry-after" usage:"Retry-After duration response to send for throttled requests."`
 	AdvancedSenderMultiplier     int           `name:"advanced-sender-multiplier" usage:"Multiplier to use per cpu for batching outgoing fedi messages. 0 or less turns batching off (not recommended)."`
--- a/internal/config/defaults.go
+++ b/internal/config/defaults.go
@ -122,7 +122,8 @@ var Defaults = Configuration{

 	AdvancedCookiesSamesite:      "lax",
 	AdvancedRateLimitRequests:    300, // 1 per second per 5 minutes
-	AdvancedThrottlingMultiplier: 8,   // 8 open requests per CPU
+	AdvancedRateLimitExceptions:  []string{},
+	AdvancedThrottlingMultiplier: 8, // 8 open requests per CPU
 	AdvancedThrottlingRetryAfter: time.Second * 30,
 	AdvancedSenderMultiplier:     2, // 2 senders per CPU
 	AdvancedCSPExtraURIs:         []string{},
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@ -149,6 +149,7 @@ func (s *ConfigState) AddServerFlags(cmd *cobra.Command) {
 		// Advanced flags
 		cmd.Flags().String(AdvancedCookiesSamesiteFlag(), cfg.AdvancedCookiesSamesite, fieldtag("AdvancedCookiesSamesite", "usage"))
 		cmd.Flags().Int(AdvancedRateLimitRequestsFlag(), cfg.AdvancedRateLimitRequests, fieldtag("AdvancedRateLimitRequests", "usage"))
+		cmd.Flags().StringSlice(AdvancedRateLimitExceptionsFlag(), cfg.AdvancedRateLimitExceptions, fieldtag("AdvancedRateLimitExceptions", "usage"))
 		cmd.Flags().Int(AdvancedThrottlingMultiplierFlag(), cfg.AdvancedThrottlingMultiplier, fieldtag("AdvancedThrottlingMultiplier", "usage"))
 		cmd.Flags().Duration(AdvancedThrottlingRetryAfterFlag(), cfg.AdvancedThrottlingRetryAfter, fieldtag("AdvancedThrottlingRetryAfter", "usage"))
 		cmd.Flags().Int(AdvancedSenderMultiplierFlag(), cfg.AdvancedSenderMultiplier, fieldtag("AdvancedSenderMultiplier", "usage"))
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@ -2274,6 +2274,31 @@ func GetAdvancedRateLimitRequests() int { return global.GetAdvancedRateLimitRequ
 // SetAdvancedRateLimitRequests safely sets the value for global configuration 'AdvancedRateLimitRequests' field
 func SetAdvancedRateLimitRequests(v int) { global.SetAdvancedRateLimitRequests(v) }

+// GetAdvancedRateLimitExceptions safely fetches the Configuration value for state's 'AdvancedRateLimitExceptions' field
+func (st *ConfigState) GetAdvancedRateLimitExceptions() (v []string) {
+	st.mutex.RLock()
+	v = st.config.AdvancedRateLimitExceptions
+	st.mutex.RUnlock()
+	return
+}
+
+// SetAdvancedRateLimitExceptions safely sets the Configuration value for state's 'AdvancedRateLimitExceptions' field
+func (st *ConfigState) SetAdvancedRateLimitExceptions(v []string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.AdvancedRateLimitExceptions = v
+	st.reloadToViper()
+}
+
+// AdvancedRateLimitExceptionsFlag returns the flag name for the 'AdvancedRateLimitExceptions' field
+func AdvancedRateLimitExceptionsFlag() string { return "advanced-rate-limit-exceptions" }
+
+// GetAdvancedRateLimitExceptions safely fetches the value for global configuration 'AdvancedRateLimitExceptions' field
+func GetAdvancedRateLimitExceptions() []string { return global.GetAdvancedRateLimitExceptions() }
+
+// SetAdvancedRateLimitExceptions safely sets the value for global configuration 'AdvancedRateLimitExceptions' field
+func SetAdvancedRateLimitExceptions(v []string) { global.SetAdvancedRateLimitExceptions(v) }
+
 // GetAdvancedThrottlingMultiplier safely fetches the Configuration value for state's 'AdvancedThrottlingMultiplier' field
 func (st *ConfigState) GetAdvancedThrottlingMultiplier() (v int) {
 	st.mutex.RLock()
--- a/internal/middleware/contentsecuritypolicy_test.go
+++ b/internal/middleware/contentsecuritypolicy_test.go
--- a/internal/middleware/ratelimit.go
+++ b/internal/middleware/ratelimit.go
@ -20,47 +20,136 @@ package middleware
 import (
 	"net"
 	"net/http"
+	"net/netip"
+	"strconv"
 	"time"

 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
 	"github.com/ulule/limiter/v3"
-	limitergin "github.com/ulule/limiter/v3/drivers/middleware/gin"
 	"github.com/ulule/limiter/v3/drivers/store/memory"
 )

 const rateLimitPeriod = 5 * time.Minute

-// RateLimit returns a gin middleware that will automatically rate limit caller (by IP address),
-// and enrich the response header with the following headers:
+// RateLimit returns a gin middleware that will automatically rate
+// limit caller (by IP address), and enrich the response header with
+// the following headers:
 //
-//   - `x-ratelimit-limit`     - maximum number of requests allowed per time period (fixed).
-//   - `x-ratelimit-remaining` - number of remaining requests that can still be performed.
-//   - `x-ratelimit-reset`     - unix timestamp when the rate limit will reset.
+//   - `X-Ratelimit-Limit`     - max requests allowed per time period (fixed).
+//   - `X-Ratelimit-Remaining` - requests remaining for this IP before reset.
+//   - `X-Ratelimit-Reset`     - ISO8601 timestamp when the rate limit will reset.
 //
-// If `x-ratelimit-limit` is exceeded, the request is aborted and an HTTP 429 TooManyRequests
-// status is returned.
+// If `X-Ratelimit-Limit` is exceeded, the request is aborted and an
+// HTTP 429 TooManyRequests status is returned.
 //
-// If the config AdvancedRateLimitRequests value is <= 0, then a noop handler will be returned,
-// which performs no rate limiting.
-func RateLimit(limit int) gin.HandlerFunc {
+// If the config AdvancedRateLimitRequests value is <= 0, then a noop
+// handler will be returned, which performs no rate limiting.
+func RateLimit(limit int, exceptions []string) gin.HandlerFunc {
 	if limit <= 0 {
-		// use noop middleware if ratelimiting is disabled
+		// Rate limiting is disabled.
+		// Return noop middleware.
 		return func(ctx *gin.Context) {}
 	}

 	limiter := limiter.New(
 		memory.NewStore(),
-		limiter.Rate{Period: rateLimitPeriod, Limit: int64(limit)},
-		limiter.WithIPv6Mask(net.CIDRMask(64, 128)), // apply /64 mask to IPv6 addresses
+		limiter.Rate{
+			Period: rateLimitPeriod,
+			Limit:  int64(limit),
+		},
 	)

-	// use custom rate limit reached error
-	handler := func(c *gin.Context) {
-		c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{"error": "rate limit reached"})
+	// Convert exceptions IP ranges into prefixes.
+	exceptPrefs := make([]netip.Prefix, len(exceptions))
+	for i, str := range exceptions {
+		exceptPrefs[i] = netip.MustParsePrefix(str)
 	}

-	return limitergin.NewMiddleware(
-		limiter,
-		limitergin.WithLimitReachedHandler(handler),
-	)
+	// It's prettymuch impossible to effectively
+	// rate limit the immense IPv6 address space
+	// unless we mask some of the bytes.
+	//
+	// This mask is pretty coarse, and puts IPv6
+	// blocking on more or less the same footing
+	// as IPv4 blocking in terms of how likely it
+	// is to prevent abuse while still allowing
+	// legit users access to the service.
+	ipv6Mask := net.CIDRMask(64, 128)
+
+	return func(c *gin.Context) {
+		// Use Gin's heuristic for determining
+		// clientIP, which accounts for reverse
+		// proxies and trusted proxies setting.
+		clientIP := netip.MustParseAddr(c.ClientIP())
+
+		// Check if this IP is exempt from rate
+		// limits and skip further checks if so.
+		for _, prefix := range exceptPrefs {
+			if prefix.Contains(clientIP) {
+				c.Next()
+				return
+			}
+		}
+
+		if clientIP.Is6() {
+			// Convert to "net" package IP for mask.
+			asIP := net.IP(clientIP.AsSlice())
+
+			// Apply coarse IPv6 mask.
+			asIP = asIP.Mask(ipv6Mask)
+
+			// Convert back to netip.Addr from net.IP.
+			clientIP, _ = netip.AddrFromSlice(asIP)
+		}
+
+		// Fetch rate limit info for this (masked) clientIP.
+		context, err := limiter.Get(c, clientIP.String())
+		if err != nil {
+			// Since we use an in-memory cache now,
+			// it's actually impossible for this to
+			// error, but handle it nicely anyway in
+			// case we switch implementation in future.
+			errWithCode := gtserror.NewErrorInternalError(err)
+
+			// Set error on gin context so it'll
+			// be picked up by logging middleware.
+			c.Error(errWithCode) //nolint:errcheck
+
+			// Bail with 500.
+			c.AbortWithStatusJSON(
+				errWithCode.Code(),
+				gin.H{"error": errWithCode.Safe()},
+			)
+			return
+		}
+
+		// Provide reset in same format used by
+		// Mastodon. There's no real standard as
+		// to what format X-RateLimit-Reset SHOULD
+		// use, but since most clients interacting
+		// with us will expect the Mastodon version,
+		// it makes sense to take this.
+		resetT := time.Unix(context.Reset, 0)
+		reset := util.FormatISO8601(resetT)
+
+		c.Header("X-RateLimit-Limit", strconv.FormatInt(context.Limit, 10))
+		c.Header("X-RateLimit-Remaining", strconv.FormatInt(context.Remaining, 10))
+		c.Header("X-RateLimit-Reset", reset)
+
+		if context.Reached {
+			// Return JSON error message for
+			// consistency with other endpoints.
+			c.AbortWithStatusJSON(
+				http.StatusTooManyRequests,
+				gin.H{"error": "rate limit reached"},
+			)
+			return
+		}
+
+		// Allow the request
+		// to continue.
+		c.Next()
+	}
 }
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@ -0,0 +1,192 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package middleware_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/suite"
+	"github.com/superseriousbusiness/gotosocial/internal/middleware"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+type RateLimitTestSuite struct {
+	suite.Suite
+}
+
+func (suite *RateLimitTestSuite) TestRateLimit() {
+	// Suppress warnings about debug mode.
+	gin.SetMode(gin.ReleaseMode)
+
+	const (
+		trustedPlatform = "X-Test-IP"
+		rlLimit         = "X-RateLimit-Limit"
+		rlRemaining     = "X-RateLimit-Remaining"
+		rlReset         = "X-RateLimit-Reset"
+	)
+
+	type rlTest struct {
+		limit        int
+		exceptions   []string
+		clientIP     string
+		shouldPanic  bool
+		shouldExcept bool
+	}
+
+	for _, test := range []rlTest{
+		{
+			limit:        10,
+			exceptions:   []string{},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"192.0.2.0/24"},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  false,
+			shouldExcept: true,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"192.0.2.0/32"},
+			clientIP:     "192.0.2.1",
+			shouldPanic:  false,
+			shouldExcept: false,
+		},
+		{
+			limit:        10,
+			exceptions:   []string{"Ceci n'est pas une CIDR"},
+			clientIP:     "192.0.2.0",
+			shouldPanic:  true,
+			shouldExcept: false,
+		},
+	} {
+		if test.shouldPanic {
+			// Try to trigger panic.
+			suite.Panics(func() {
+				_ = middleware.RateLimit(
+					test.limit,
+					test.exceptions,
+				)
+			})
+			continue
+		}
+
+		rlMiddleware := middleware.RateLimit(
+			test.limit,
+			test.exceptions,
+		)
+
+		// Approximate time when this limiter will reset.
+		resetAt := time.Now().Add(5 * time.Minute)
+
+		// Make requests up to +
+		// just over the limit.
+		limitedAt := test.limit + 1
+		for requestsCount := 1; requestsCount < limitedAt; requestsCount++ {
+			var (
+				recorder = httptest.NewRecorder()
+				ctx, e   = gin.CreateTestContext(recorder)
+			)
+
+			// Instruct engine to derive
+			// clientIP from test header.
+			e.TrustedPlatform = trustedPlatform
+			ctx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
+			ctx.Request.Header.Add(trustedPlatform, test.clientIP)
+
+			// Call the rate limiter.
+			rlMiddleware(ctx)
+
+			// Fetch RL headers if present.
+			var (
+				limitStr     = recorder.Header().Get(rlLimit)
+				remainingStr = recorder.Header().Get(rlRemaining)
+				resetStr     = recorder.Header().Get(rlReset)
+			)
+
+			if test.shouldExcept {
+				// Request should be allowed through,
+				// no rate-limit headers should be written.
+				suite.Equal(http.StatusOK, recorder.Code)
+				suite.Empty(limitStr)
+				suite.Empty(remainingStr)
+				suite.Empty(resetStr)
+				continue
+			}
+
+			suite.Equal(strconv.Itoa(test.limit), limitStr)
+			suite.Equal(strconv.Itoa(test.limit-requestsCount), remainingStr)
+
+			// Ensure reset is ISO8601, and resets at
+			// approximate reset time (+/- 10 seconds).
+			reset, err := util.ParseISO8601(resetStr)
+			if err != nil {
+				suite.FailNow("", "couldn't parse %s as ISO8601: %q", resetStr, err.Error())
+			}
+			suite.WithinDuration(resetAt, reset, 10*time.Second)
+
+			if requestsCount < limitedAt {
+				// Request should be allowed through.
+				suite.Equal(http.StatusOK, recorder.Code)
+				continue
+			}
+
+			// Request should be denied.
+			suite.Equal(http.StatusTooManyRequests, recorder.Code)
+
+			// Make a final request with an unrelated IP to
+			// ensure it's only the one IP being limited.
+			var (
+				unrelatedRecorder        = httptest.NewRecorder()
+				unrelatedCtx, unrelatedE = gin.CreateTestContext(unrelatedRecorder)
+			)
+
+			// Instruct engine to derive
+			// clientIP from test header.
+			unrelatedE.TrustedPlatform = trustedPlatform
+			unrelatedCtx.Request = httptest.NewRequest(http.MethodGet, "/example", nil)
+			unrelatedCtx.Request.Header.Add(trustedPlatform, "192.0.2.255")
+
+			// Call the rate limiter.
+			rlMiddleware(unrelatedCtx)
+
+			// Request should be allowed through.
+			suite.Equal(http.StatusOK, unrelatedRecorder.Code)
+
+		}
+	}
+}
+
+func TestRateLimitTestSuite(t *testing.T) {
+	suite.Run(t, new(RateLimitTestSuite))
+}
--- a/test/envparsing.sh
+++ b/test/envparsing.sh
@ -12,6 +12,10 @@ EXPECT=$(cat << "EOF"
    "accounts-registration-open": true,
    "advanced-cookies-samesite": "strict",
    "advanced-csp-extra-uris": [],
+    "advanced-rate-limit-exceptions": [
+        "192.0.2.0/24",
+        "127.0.0.1/32"
+    ],
    "advanced-rate-limit-requests": 6969,
    "advanced-sender-multiplier": -1,
    "advanced-throttling-multiplier": -1,
@ -237,6 +241,7 @@ GTS_SYSLOG_PROTOCOL='udp' \
 GTS_SYSLOG_ADDRESS='127.0.0.1:6969' \
 GTS_TRACING_ENDPOINT='localhost:4317' \
 GTS_ADVANCED_COOKIES_SAMESITE='strict' \
+GTS_ADVANCED_RATE_LIMIT_EXCEPTIONS="192.0.2.0/24,127.0.0.1/32" \
 GTS_ADVANCED_RATE_LIMIT_REQUESTS=6969 \
 GTS_ADVANCED_SENDER_MULTIPLIER=-1 \
 GTS_ADVANCED_THROTTLING_MULTIPLIER=-1 \