Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rate limit the crate publish endpoint #1596

Merged
merged 3 commits into from
Feb 14, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .buildpacks
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
https://github.com/Starkast/heroku-buildpack-cmake#a243c67
https://github.com/emk/heroku-buildpack-rust#578d630
https://codon-buildpacks.s3.amazonaws.com/buildpacks/heroku/emberjs.tgz
https://github.com/travis-ci/nginx-buildpack.git#2fbde35
https://github.com/heroku/heroku-buildpack-nginx.git#fbc49cd
https://github.com/sgrif/heroku-buildpack-diesel#f605edd
6 changes: 6 additions & 0 deletions app/templates/policies.hbs
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ them. If necessary, the team may reach out to inactive maintainers and help
mediate the process of ownership transfer.
</p>

<p>
Using an automated tool to claim ownership of a large number of package names
is not permitted. We reserve the right to block traffic or revoke ownership
of any package we determine to have been claimed by an automated tool.
</p>

<h2 id='removal'><a href='#removal'>Removal</a></h2>

<p>
Expand Down
31 changes: 23 additions & 8 deletions config/nginx.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ events {
}

http {
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 127.0.0.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

gzip on;
gzip_comp_level 2;
gzip_proxied any;
Expand All @@ -28,6 +33,8 @@ http {
client_body_timeout 30;
client_max_body_size 50m;

limit_req_zone $remote_addr zone=publish:10m rate=1r/m;

upstream app_server {
server localhost:8888 fail_timeout=0;
}
Expand All @@ -38,22 +45,30 @@ http {
keepalive_timeout 5;

location ~ ^/assets/ {
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options nosniff;
add_header Cache-Control public;
root dist;
expires max;
}

add_header Strict-Transport-Security "max-age=31536000" always;
add_header Vary 'Accept, Accept-Encoding, Cookie';
proxy_set_header Host $http_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_redirect off;
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}

location / {
add_header Strict-Transport-Security "max-age=31536000" always;
add_header Vary 'Accept, Accept-Encoding, Cookie';
proxy_set_header Host $http_host;
proxy_redirect off;
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
proxy_pass http://app_server;
}

location ~ ^/api/v./crates/new$ {
proxy_pass http://app_server;

limit_req zone=publish burst=10 nodelay;
limit_req_status 429;
}
}
}
4 changes: 2 additions & 2 deletions src/middleware/block_ips.rs
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,10 @@ impl Handler for BlockIps {
fn call(&self, req: &mut dyn Request) -> Result<Response, Box<dyn Error + Send>> {
let has_blocked_ip = req
.headers()
.find("X-Forwarded-For")
.find("X-Real-Ip")
.unwrap()
.iter()
.any(|v| v.split(", ").any(|ip| self.ips.iter().any(|x| x == ip)));
.any(|ip| self.ips.iter().any(|v| v == ip));
if has_blocked_ip {
let body = format!(
"We are unable to process your request at this time. \
Expand Down
2 changes: 1 addition & 1 deletion src/middleware/log_request.rs
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ impl Handler for LogRequests {
level = level,
method = req.method(),
path = FullPath(req),
ip = request_header(req, "X-Forwarded-For"),
ip = request_header(req, "X-Real-Ip"),
time_ms = response_time,
user_agent = request_header(req, "User-Agent"),
referer = request_header(req, "Referer"), // sic
Expand Down