Add per-IP rate limiting and Unix socket support for gRPC admin API
Rate limiting: per-source-IP connection rate limiter in the firewall layer with configurable limit and sliding window. Blocklisted IPs are rejected before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC admin API can now listen on a Unix domain socket (no TLS required), secured by file permissions (0600), as a simpler alternative for local-only access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -3,6 +3,7 @@ package config
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/pelletier/go-toml/v2"
|
||||
@@ -44,6 +45,8 @@ type Firewall struct {
|
||||
BlockedIPs []string `toml:"blocked_ips"`
|
||||
BlockedCIDRs []string `toml:"blocked_cidrs"`
|
||||
BlockedCountries []string `toml:"blocked_countries"`
|
||||
RateLimit int64 `toml:"rate_limit"`
|
||||
RateWindow Duration `toml:"rate_window"`
|
||||
}
|
||||
|
||||
type Proxy struct {
|
||||
@@ -61,6 +64,18 @@ type Duration struct {
|
||||
time.Duration
|
||||
}
|
||||
|
||||
// IsUnixSocket returns true if the gRPC address refers to a Unix domain socket.
|
||||
func (g GRPC) IsUnixSocket() bool {
|
||||
path := strings.TrimPrefix(g.Addr, "unix:")
|
||||
return strings.Contains(path, "/")
|
||||
}
|
||||
|
||||
// SocketPath returns the filesystem path for a Unix socket address,
|
||||
// stripping any "unix:" prefix.
|
||||
func (g GRPC) SocketPath() string {
|
||||
return strings.TrimPrefix(g.Addr, "unix:")
|
||||
}
|
||||
|
||||
func (d *Duration) UnmarshalText(text []byte) error {
|
||||
var err error
|
||||
d.Duration, err = time.ParseDuration(string(text))
|
||||
@@ -114,5 +129,34 @@ func (c *Config) validate() error {
|
||||
return fmt.Errorf("firewall: geoip_db is required when blocked_countries is set")
|
||||
}
|
||||
|
||||
if c.Firewall.RateLimit < 0 {
|
||||
return fmt.Errorf("firewall.rate_limit must not be negative")
|
||||
}
|
||||
if c.Firewall.RateWindow.Duration < 0 {
|
||||
return fmt.Errorf("firewall.rate_window must not be negative")
|
||||
}
|
||||
if c.Firewall.RateLimit > 0 && c.Firewall.RateWindow.Duration == 0 {
|
||||
return fmt.Errorf("firewall.rate_window is required when rate_limit is set")
|
||||
}
|
||||
|
||||
// Validate gRPC config: if enabled, TLS cert and key are required
|
||||
// (unless using a Unix socket, which doesn't need TLS).
|
||||
if c.GRPC.Addr != "" && !c.GRPC.IsUnixSocket() {
|
||||
if c.GRPC.TLSCert == "" || c.GRPC.TLSKey == "" {
|
||||
return fmt.Errorf("grpc: tls_cert and tls_key are required when grpc.addr is a TCP address")
|
||||
}
|
||||
}
|
||||
|
||||
// Validate timeouts are non-negative.
|
||||
if c.Proxy.ConnectTimeout.Duration < 0 {
|
||||
return fmt.Errorf("proxy.connect_timeout must not be negative")
|
||||
}
|
||||
if c.Proxy.IdleTimeout.Duration < 0 {
|
||||
return fmt.Errorf("proxy.idle_timeout must not be negative")
|
||||
}
|
||||
if c.Proxy.ShutdownTimeout.Duration < 0 {
|
||||
return fmt.Errorf("proxy.shutdown_timeout must not be negative")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user