feat: rate limit ipv6 addresses based on the first /56

This commit is contained in:
neri 2023-11-16 13:59:12 +01:00
parent 42a8cb3e0a
commit 701c86f64c
4 changed files with 406 additions and 406 deletions

792
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,6 +1,6 @@
[package]
name = "datatrash"
version = "2.4.0"
version = "2.4.1"
authors = ["neri"]
edition = "2021"

View file

@ -24,7 +24,7 @@ pub(crate) async fn delete_old_files(
.fetch(&db);
while let Some(row) = rows.try_next().await? {
let file_id: String = row.try_get("file_id").expect("we selected this column");
delete_content(&file_id, &files_dir).await?
delete_content(&file_id, &files_dir).await?;
}
sqlx::query("DELETE FROM files WHERE valid_till < $1")

View file

@ -19,11 +19,21 @@ impl KeyExtractor for ForwardedPeerIpKeyExtractor {
fn extract(&self, req: &ServiceRequest) -> Result<Self::Key, Self::KeyExtractionError> {
let forwarded_for = req.headers().get("x-forwarded-for");
if self.proxied && forwarded_for.is_some() {
read_forwareded_for(forwarded_for).map_err(SimpleKeyExtractionError::new)
let mut ip = if self.proxied && forwarded_for.is_some() {
read_forwareded_for(forwarded_for).map_err(SimpleKeyExtractionError::new)?
} else {
PeerIpKeyExtractor.extract(req)
PeerIpKeyExtractor.extract(req)?
};
// only keep the first /56 for ipv6 addresses
// mask 0xffff_ffff_ffff_ff00_0000_0000_0000_0000
if let IpAddr::V6(ipv6) = ip {
let mut octets = ipv6.octets();
octets[7..16].fill(0);
ip = IpAddr::V6(octets.into());
}
Ok(ip)
}
fn exceed_rate_limit_response(