feat: rate limit ipv6 addresses based on the first /56

This commit is contained in:
neri 2023-11-16 13:59:12 +01:00
parent 42a8cb3e0a
commit 4d9880701d
4 changed files with 16 additions and 6 deletions

2
Cargo.lock generated
View File

@ -551,7 +551,7 @@ dependencies = [
[[package]]
name = "datatrash"
version = "2.4.0"
version = "2.4.1"
dependencies = [
"actix-files",
"actix-governor",

View File

@ -1,6 +1,6 @@
[package]
name = "datatrash"
version = "2.4.0"
version = "2.4.1"
authors = ["neri"]
edition = "2021"

View File

@ -24,7 +24,7 @@ pub(crate) async fn delete_old_files(
.fetch(&db);
while let Some(row) = rows.try_next().await? {
let file_id: String = row.try_get("file_id").expect("we selected this column");
delete_content(&file_id, &files_dir).await?
delete_content(&file_id, &files_dir).await?;
}
sqlx::query("DELETE FROM files WHERE valid_till < $1")

View File

@ -19,11 +19,21 @@ impl KeyExtractor for ForwardedPeerIpKeyExtractor {
fn extract(&self, req: &ServiceRequest) -> Result<Self::Key, Self::KeyExtractionError> {
let forwarded_for = req.headers().get("x-forwarded-for");
if self.proxied && forwarded_for.is_some() {
read_forwareded_for(forwarded_for).map_err(SimpleKeyExtractionError::new)
let mut ip = if self.proxied && forwarded_for.is_some() {
read_forwareded_for(forwarded_for).map_err(SimpleKeyExtractionError::new)?
} else {
PeerIpKeyExtractor.extract(req)
PeerIpKeyExtractor.extract(req)?
};
// only keep the first /56 for ipv6 addresses
// mask 0xffff_ffff_ffff_ff00_0000_0000_0000_0000
if let IpAddr::V6(ipv6) = ip {
let mut octets = ipv6.octets();
octets[7..16].fill(0);
ip = IpAddr::V6(octets.into());
}
Ok(ip)
}
fn exceed_rate_limit_response(