Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: PRT - Websocket limited per ip #1738

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: PRT - Websocket limited per ip #1738

wants to merge 10 commits into from

Conversation

ranlavanet
Copy link
Collaborator

Description

Closes: #XXXX

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • read the contribution guide
  • included the correct type prefix in the PR title, you can find examples of the prefixes below:
  • confirmed ! in the type prefix if API or client breaking change
  • targeted the main branch
  • provided a link to the relevant issue or specification
  • reviewed "Files changed" and left comments if necessary
  • included the necessary unit and integration tests
  • updated the relevant documentation or specification, including comments for documenting Go code
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

@ranlavanet ranlavanet self-assigned this Oct 11, 2024
@ranlavanet ranlavanet changed the title PRT - Websocket limited per ip feat: PRT - Websocket limited per ip Oct 11, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 11, 2024
edited
Loading

Test Results

2 230 tests  ±0   2 230 ✅ ±0   26m 15s ⏱️ + 1m 0s
  145 suites ±0       0 💤 ±0 
    7 files   ±0       0 ❌ ±0 

Results for commit 3ffb49a. ± Comparison against base commit 1962ab0.

♻️ This comment has been updated with latest results.

@nimrod-teich
Copy link
Collaborator

I wouldn't use the IP alone as the unique identifier to map the open sockets (what happens when users behind NAT are sending requests?).
A combination of the real IP (extracted from X-Forwarded-For) and user-agent is adviced.

@nimrod-teich nimrod-teich self-requested a review October 13, 2024 11:41
@omerlavanet
Copy link
Collaborator

I wouldn't use the IP alone as the unique identifier to map the open sockets (what happens when users behind NAT are sending requests?). A combination of the real IP (extracted from X-Forwarded-For) and user-agent is adviced.

agreed and i would take it a step further, allow a special header to change the rate, and we force set this header on our nginx, because otherwise you have to manage special rate limits within the consumer

@pull-request-size pull-request-size bot added size/L and removed size/M labels Oct 13, 2024
@ranlavanet
Copy link
Collaborator Author

@nimrod-teich , @omerlavanet

I've added a header to rate limit. functionality is quite the same as the flag just here we can control it from ngnix instead of directly in process

Header name:
WebSocketRateLimitHeader = "x-lava-rate-limit"

Example use:
-H "x-lava-rate-limit: 10" (will result in rate limit of 10 requests per second)

omerlavanet
omerlavanet requested changes Oct 30, 2024
View reviewed changes
protocol/chainlib/consumer_websocket_manager.go
@@ -156,7 +164,8 @@ func (cwm *ConsumerWebsocketManager) ListenToMessages() {
return
case <-ticker.C:
// check if rate limit reached, and ban is required
if WebSocketBanDuration > 0 && requestsPerSecond.Load() > uint64(WebSocketRateLimit) {
currentRequestsPerSecondLoad := requestsPerSecond.Load()
if WebSocketBanDuration > 0 && (cwm.headerRateLimit > currentRequestsPerSecondLoad || currentRequestsPerSecondLoad > uint64(WebSocketRateLimit)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if currentRequestsPerSecondLoad is very low and the header is given the user is banned, i don't get it

protocol/chainlib/websocket_connection_limiter.go
}
ip := websocketConn.RemoteAddr().String()
key := wcl.getKey(ip, ipForwarded)
numberOfActiveConnections := wcl.addIpConnectionAndGetCurrentAmount(key)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you add then immediately decrease, and not when the connection is down, no other writes to the active connections, this will always be true

protocol/chainlib/websocket_connection_limiter.go
ipForwarded = ""
}
ip := websocketConn.RemoteAddr().String()
key := wcl.getKey(ip, ipForwarded)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we said we will do this based on dappId, ip and user agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omerlavanet omerlavanet omerlavanet requested changes

@nimrod-teich nimrod-teich Awaiting requested review from nimrod-teich

Requested changes must be addressed to merge this pull request.

Assignees

@ranlavanet ranlavanet

Labels
C:protocol size/L Team:Protocol
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ranlavanet @nimrod-teich @omerlavanet