From fdfbdcd8c6173e007054fecb0b796f4e5e1b2934 Mon Sep 17 00:00:00 2001 From: Jeremy D Monin Date: Sun, 12 Feb 2017 14:43:47 -0500 Subject: [PATCH 1/3] feat(rate-limiting) config add hide_client_headers --- kong/plugins/rate-limiting/handler.lua | 8 +++++--- kong/plugins/rate-limiting/schema.lua | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/kong/plugins/rate-limiting/handler.lua b/kong/plugins/rate-limiting/handler.lua index 2a9094c4212..e1ab79f69bf 100644 --- a/kong/plugins/rate-limiting/handler.lua +++ b/kong/plugins/rate-limiting/handler.lua @@ -95,9 +95,11 @@ function RateLimitingHandler:access(conf) if usage then -- Adding headers - for k, v in pairs(usage) do - ngx.header[RATELIMIT_LIMIT.."-"..k] = v.limit - ngx.header[RATELIMIT_REMAINING.."-"..k] = math.max(0, (stop == nil or stop == k) and v.remaining - 1 or v.remaining) -- -increment_value for this current request + if not conf.hide_client_headers then + for k, v in pairs(usage) do + ngx.header[RATELIMIT_LIMIT.."-"..k] = v.limit + ngx.header[RATELIMIT_REMAINING.."-"..k] = math.max(0, (stop == nil or stop == k) and v.remaining - 1 or v.remaining) -- -increment_value for this current request + end end -- If limit is exceeded, terminate the request diff --git a/kong/plugins/rate-limiting/schema.lua b/kong/plugins/rate-limiting/schema.lua index b307c08431e..cb61b4361f9 100644 --- a/kong/plugins/rate-limiting/schema.lua +++ b/kong/plugins/rate-limiting/schema.lua @@ -17,7 +17,8 @@ return { redis_port = { type = "number", default = 6379 }, redis_password = { type = "string" }, redis_timeout = { type = "number", default = 2000 }, - redis_database = { type = "number", default = 0 } + redis_database = { type = "number", default = 0 }, + hide_client_headers = { type = "boolean", default = false }, }, self_check = function(schema, plugin_t, dao, is_update) local ordered_periods = { "second", "minute", "hour", "day", "month", "year"} From c260dc2bbfb605b3935b1c81c229939a08ec5934 Mon Sep 17 00:00:00 2001 From: Jeremy D Monin Date: Sun, 12 Feb 2017 14:59:36 -0500 Subject: [PATCH 2/3] feat(response-ratelimiting) config add hide_client_headers --- kong/plugins/response-ratelimiting/header_filter.lua | 6 ++++-- kong/plugins/response-ratelimiting/schema.lua | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kong/plugins/response-ratelimiting/header_filter.lua b/kong/plugins/response-ratelimiting/header_filter.lua index 4b357e98375..79f41cb3ae2 100644 --- a/kong/plugins/response-ratelimiting/header_filter.lua +++ b/kong/plugins/response-ratelimiting/header_filter.lua @@ -50,8 +50,10 @@ function _M.execute(conf) local stop for limit_name, v in pairs(usage) do for period_name, lv in pairs(usage[limit_name]) do - ngx.header[RATELIMIT_LIMIT.."-"..limit_name.."-"..period_name] = lv.limit - ngx.header[RATELIMIT_REMAINING.."-"..limit_name.."-"..period_name] = math_max(0, lv.remaining - (increments[limit_name] and increments[limit_name] or 0)) -- increment_value for this current request + if not conf.hide_client_headers then + ngx.header[RATELIMIT_LIMIT.."-"..limit_name.."-"..period_name] = lv.limit + ngx.header[RATELIMIT_REMAINING.."-"..limit_name.."-"..period_name] = math_max(0, lv.remaining - (increments[limit_name] and increments[limit_name] or 0)) -- increment_value for this current request + end if increments[limit_name] and increments[limit_name] > 0 and lv.remaining <= 0 then stop = true -- No more diff --git a/kong/plugins/response-ratelimiting/schema.lua b/kong/plugins/response-ratelimiting/schema.lua index 9c66f8113a1..5d465b1e6b4 100644 --- a/kong/plugins/response-ratelimiting/schema.lua +++ b/kong/plugins/response-ratelimiting/schema.lua @@ -58,7 +58,8 @@ return { year = { type = "number" } } } - } + }, + hide_client_headers = { type = "boolean", default = false }, }, self_check = function(schema, plugin_t, dao, is_update) if not plugin_t.limits or (not next(plugin_t.limits)) then From 7ea8229403e1dbf38cf045504ca4e6f29c35bbcb Mon Sep 17 00:00:00 2001 From: Jeremy D Monin Date: Mon, 13 Feb 2017 08:08:11 -0500 Subject: [PATCH 3/3] feat(rate-limiting,response-ratelimiting) test spec with config.hide_client_headers==true --- .../24-rate-limiting/04-access_spec.lua | 36 +++++++++++++++++++ .../04-access_spec.lua | 36 +++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/spec/03-plugins/24-rate-limiting/04-access_spec.lua b/spec/03-plugins/24-rate-limiting/04-access_spec.lua index 429d2ebf13d..be875ed8462 100644 --- a/spec/03-plugins/24-rate-limiting/04-access_spec.lua +++ b/spec/03-plugins/24-rate-limiting/04-access_spec.lua @@ -174,6 +174,26 @@ for i, policy in ipairs({"local", "cluster", "redis"}) do } }) + local api5 = assert(helpers.dao.apis:insert { + name = "api-5", + hosts = { "test5.com" }, + upstream_url = "http://mockbin.com" + }) + assert(helpers.dao.plugins:insert { + name = "rate-limiting", + api_id = api5.id, + config = { + policy = policy, + minute = 6, + hide_client_headers = true, + fault_tolerant = false, + redis_host = REDIS_HOST, + redis_port = REDIS_PORT, + redis_password = REDIS_PASSWORD, + redis_database = REDIS_DATABASE + } + }) + assert(helpers.start_kong()) end) @@ -359,6 +379,22 @@ for i, policy in ipairs({"local", "cluster", "redis"}) do end) end) + describe("Config with hide_client_headers", function() + it("does not send rate-limit headers when hide_client_headers==true", function() + local res = assert(helpers.proxy_client():send { + method = "GET", + path = "/status/200/", + headers = { + ["Host"] = "test5.com" + } + }) + + assert.res_status(200, res) + assert.falsy(res.headers["x-ratelimit-limit-minute"]) + assert.falsy(res.headers["x-ratelimit-remaining-minute"]) + end) + end) + if policy == "cluster" then describe("Fault tolerancy", function() diff --git a/spec/03-plugins/25-response-rate-limiting/04-access_spec.lua b/spec/03-plugins/25-response-rate-limiting/04-access_spec.lua index b17696873f0..f15d44c4cdc 100644 --- a/spec/03-plugins/25-response-rate-limiting/04-access_spec.lua +++ b/spec/03-plugins/25-response-rate-limiting/04-access_spec.lua @@ -204,6 +204,26 @@ for i, policy in ipairs({"local", "cluster", "redis"}) do } }) + api = assert(helpers.dao.apis:insert { + name = "test9_com", + hosts = { "test9.com" }, + upstream_url = "http://httpbin.org" + }) + assert(helpers.dao.plugins:insert { + name = "response-ratelimiting", + api_id = api.id, + config = { + fault_tolerant = false, + policy = policy, + hide_client_headers = true, + redis_host = REDIS_HOST, + redis_port = REDIS_PORT, + redis_password = REDIS_PASSWORD, + redis_database = REDIS_DATABASE, + limits = {video = {minute = 6}} + } + }) + assert(helpers.start_kong()) end) @@ -477,6 +497,22 @@ for i, policy in ipairs({"local", "cluster", "redis"}) do assert.equal([[{"message":"API rate limit exceeded for 'image'"}]], body) end) + describe("Config with hide_client_headers", function() + it("does not send rate-limit headers when hide_client_headers==true", function() + local res = assert(helpers.proxy_client():send { + method = "GET", + path = "/status/200", + headers = { + ["Host"] = "test9.com" + } + }) + + assert.res_status(200, res) + assert.falsy(res.headers["x-ratelimit-remaining-video-minute"]) + assert.falsy(res.headers["x-ratelimit-limit-video-minute"]) + end) + end) + if policy == "cluster" then describe("Fault tolerancy", function()