Rate limit the crate publish endpoint

.buildpacks

@@ -1,5 +1,5 @@
 https://github.com/Starkast/heroku-buildpack-cmake#a243c67
 https://github.com/emk/heroku-buildpack-rust#578d630
 https://codon-buildpacks.s3.amazonaws.com/buildpacks/heroku/emberjs.tgz
-https://github.com/travis-ci/nginx-buildpack.git#2fbde35
+https://github.com/heroku/heroku-buildpack-nginx.git#fbc49cd
 https://github.com/sgrif/heroku-buildpack-diesel#f605edd

config/nginx.conf.erb

@@ -9,6 +9,11 @@ events {
 }
 
 http {
+	set_real_ip_from 10.0.0.0/8;
+	set_real_ip_from 127.0.0.0/24;
+	real_ip_header X-Forwarded-For;
+	real_ip_recursive on;
+
 	gzip on;
 	gzip_comp_level 2;
 	gzip_proxied any;
@@ -28,6 +33,8 @@ http {
 	client_body_timeout 30;
 	client_max_body_size 50m;
 
+	limit_req_zone $remote_addr zone=publish:10m rate=1r/m;
+
 	upstream app_server {
 		server localhost:8888 fail_timeout=0;
  	}
@@ -38,22 +45,30 @@ http {
 		keepalive_timeout 5;
 
 		location ~ ^/assets/ {
-			add_header Strict-Transport-Security "max-age=31536000" always;
 			add_header X-Content-Type-Options nosniff;
 			add_header Cache-Control public;
 			root dist;
 			expires max;
 		}
 
+		add_header Strict-Transport-Security "max-age=31536000" always;
+		add_header Vary 'Accept, Accept-Encoding, Cookie';
+		proxy_set_header Host $http_host;
+		proxy_set_header X-Real-Ip $remote_addr;
+		proxy_redirect off;
+		if ($http_x_forwarded_proto != 'https') {
+			rewrite ^ https://$host$request_uri? permanent;
+		}
+
 		location / {
-			add_header Strict-Transport-Security "max-age=31536000" always;
-            add_header Vary 'Accept, Accept-Encoding, Cookie';
-			proxy_set_header Host $http_host;
-			proxy_redirect off;
-			if ($http_x_forwarded_proto != 'https') {
-				rewrite ^ https://$host$request_uri? permanent;
-			}
 			proxy_pass http://app_server;
 		}
+
+		location ~ ^/api/v./crates/new$ {
+			proxy_pass http://app_server;
+
+			limit_req zone=publish burst=10 nodelay;
+			limit_req_status 429;
+		}
 	}
 }

src/middleware/block_ips.rs

@@ -29,10 +29,10 @@ impl Handler for BlockIps {
     fn call(&self, req: &mut dyn Request) -> Result<Response, Box<dyn Error + Send>> {
         let has_blocked_ip = req
             .headers()
-            .find("X-Forwarded-For")
+            .find("X-Real-Ip")
             .unwrap()
             .iter()
-            .any(|v| v.split(", ").any(|ip| self.ips.iter().any(|x| x == ip)));
+            .any(|ip| self.ips.iter().any(|v| v == ip));
         if has_blocked_ip {
             let body = format!(
                 "We are unable to process your request at this time. \

src/middleware/log_request.rs

@@ -38,7 +38,7 @@ impl Handler for LogRequests {
             level = level,
             method = req.method(),
             path = FullPath(req),
-            ip = request_header(req, "X-Forwarded-For"),
+            ip = request_header(req, "X-Real-Ip"),
             time_ms = response_time,
             user_agent = request_header(req, "User-Agent"),
             referer = request_header(req, "Referer"), // sic