mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add per-IP rate limiting and Unix socket support for gRPC admin API

Browse Source 
Rate limiting: per-source-IP connection rate limiter in the firewall layer
with configurable limit and sliding window. Blocklisted IPs are rejected
before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC
admin API can now listen on a Unix domain socket (no TLS required), secured
by file permissions (0600), as a simpler alternative for local-only access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-17 14:37:21 -07:00
parent e84093b7fb
commit b25e1b0e79
16 changed files with 694 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
deploy/mc-proxy.toml.example
View File

@@ -1,23 +1,49 @@
# mc-proxy configuration
#
# This file seeds the database on first run. After that, the database is
# the source of truth — listener, route, and firewall fields here are ignored.
# Listeners. Each entry binds a TCP listener on the specified address.
# Database. Required.
[database]
path = "/srv/mc-proxy/mc-proxy.db"
# Listeners. Each listener binds a TCP port and has its own route table.
[[listeners]]
addr = ":443"
[[listeners.routes]]
hostname = "metacrypt.metacircular.net"
backend = "127.0.0.1:18443"
[[listeners.routes]]
hostname = "mcias.metacircular.net"
backend = "127.0.0.1:28443"
[[listeners]]
addr = ":8443"
[[listeners.routes]]
hostname = "metacrypt.metacircular.net"
backend = "127.0.0.1:18443"
[[listeners]]
addr = ":9443"
# Routes. SNI hostname → backend address.
[[routes]]
hostname = "metacrypt.metacircular.net"
backend = "127.0.0.1:18443"
[[listeners.routes]]
hostname = "mcias.metacircular.net"
backend = "127.0.0.1:28443"
[[routes]]
hostname = "mcias.metacircular.net"
backend = "127.0.0.1:28443"
# gRPC admin API. Optional — omit or leave addr empty to disable.
# If enabled over TCP, tls_cert and tls_key are required. mTLS (client_ca)
# is strongly recommended for any non-loopback listen address.
[grpc]
addr = "127.0.0.1:9090"
tls_cert = "/srv/mc-proxy/certs/cert.pem"
tls_key = "/srv/mc-proxy/certs/key.pem"
client_ca = "/srv/mc-proxy/certs/ca.pem" # mTLS; omit to disable client auth
# Unix socket alternative (no TLS needed, secured by file permissions):
# addr = "/srv/mc-proxy/admin.sock"
# Firewall. Global blocklist, evaluated before routing. Default allow.
[firewall]
@@ -25,6 +51,8 @@ geoip_db = "/srv/mc-proxy/GeoLite2-Country.mmdb"
blocked_ips = []
blocked_cidrs = []
blocked_countries = ["KP", "CN", "IN", "IL"]
rate_limit = 100 # max connections per source IP per window (0 = disabled)
rate_window = "1m" # sliding window duration (required if rate_limit > 0)
# Proxy behavior.
[proxy]