mirror-matrix
/
conduit
mirror of https://gitlab.com/famedly/conduit.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

defaults for everything except media

rate-limiting
Matthias Ahouansou 7 days ago
parent
7b03e09e2b
commit
d0e44034fe
No known key found for this signature in database
3 changed files with 225 additions and 20 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 241
      conduit-config/src/rate_limiting.rs
  2. 2
      docs/configuration/rate-limiting.md
  3. 2
      xtask/src/generate_docs.rs

241
conduit-config/src/rate_limiting.rs
Unescape View File

@ -535,7 +535,7 @@ fn nz(int: u64) -> NonZeroU64 {
}
macro_rules! default_restriction_map {
($restriction_type:ident; $($restriction:ident, $timeframe:ident, $timeframe_value:expr, $burst_capacity:expr);*) => {
($restriction_type:ident; $($restriction:ident, $timeframe:ident, $timeframe_value:expr, $burst_capacity:expr;)*) => {
HashMap::from_iter([
$((
$restriction_type::$restriction,
@ -603,29 +603,104 @@ impl Config {
}
pub fn get_preset(preset: ConfigPreset) -> Self {
// The client target map shouldn't really differ between presets, but maybe I'm wrong.
let target_client_map = default_restriction_map!(
ClientRestriction;
Registration, PerDay, 3, 10;
Login, PerDay, 5, 20;
RegistrationTokenValidity, PerDay, 10, 20;
SendEvent, PerMinute, 15, 60;
Join, PerHour, 5, 30;
Knock, PerHour, 5, 30;
Invite, PerHour, 2, 20;
SendReport, PerDay, 5, 20;
CreateAlias, PerDay, 2, 20;
MediaDownload, PerHour, 30, 100;
MediaCreate, PerMinute, 4, 20;
);
// Currently, these values are completely arbitrary, not informed by any sort of
// knowledge. In the future, it would be good to have some sort of analytics to
// determine what some good defaults could be. Maybe getting some percentiles for
// burst_capacity & timeframes used. How we'd tell the difference between power users
// and malicilous attacks, I'm not sure.
match preset {
//TODO: finish these
ConfigPreset::PrivateSmall => Self {
target: ConfigFragment {
client: ConfigFragmentFragment {
map: target_client_map,
media: ClientMediaConfig::todo(),
additional_fields: AuthenticationFailures::new(
Timeframe::PerHour(nz(1)),
nz(20),
),
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerHour, 10, 10;
Knock, PerHour, 10, 10;
Invite, PerHour, 10, 10;
MediaDownload, PerMinute, 10, 50;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
global: ConfigFragment {
client: ConfigFragmentFragment {
map: default_restriction_map!(
ClientRestriction;
// Registration, PerDay, 10, 20;
// Login, PerHour, 10, 10;
// RegistrationTokenValidity, PerDay, 10, 20
Registration, PerDay, 10, 20;
Login, PerHour, 10, 10;
RegistrationTokenValidity, PerDay, 10, 20;
SendEvent, PerSecond, 2, 100;
Join, PerMinute, 1, 30;
Knock, PerMinute, 1, 30;
Invite, PerHour, 10, 20;
SendReport, PerHour, 1, 25;
CreateAlias, PerHour, 5, 20;
MediaDownload, PerMinute, 5, 150;
MediaCreate, PerMinute, 20, 50;
),
media: ClientMediaConfig::todo(),
additional_fields: Nothing,
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerMinute, 10, 10;
Knock, PerMinute, 10, 10;
Invite, PerMinute, 10, 10;
MediaDownload, PerSecond, 10, 250;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
},
ConfigPreset::PrivateMedium => Self {
target: ConfigFragment {
client: ConfigFragmentFragment {
map: target_client_map,
media: ClientMediaConfig::todo(),
additional_fields: AuthenticationFailures::new(
Timeframe::PerDay(nz(10)),
nz(40),
Timeframe::PerHour(nz(10)),
nz(20),
),
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerDay, 10, 20;
Knock, PerDay, 10, 20;
Invite, PerDay, 10, 20
Join, PerHour, 30, 10;
Knock, PerHour, 30, 10;
Invite, PerHour, 30, 10;
MediaDownload, PerMinute, 100, 50;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
@ -635,9 +710,78 @@ impl Config {
client: ConfigFragmentFragment {
map: default_restriction_map!(
ClientRestriction;
Registration, PerDay, 10, 20;
Login, PerHour, 10, 10;
RegistrationTokenValidity, PerDay, 10, 20
Registration, PerDay, 20, 20;
Login, PerHour, 25, 15;
RegistrationTokenValidity, PerDay, 20, 20;
SendEvent, PerSecond, 10, 100;
Join, PerMinute, 5, 30;
Knock, PerMinute, 5, 30;
Invite, PerMinute, 1, 20;
SendReport, PerHour, 10, 25;
CreateAlias, PerMinute, 1, 50;
MediaDownload, PerSecond, 1, 200;
MediaCreate, PerSecond, 2, 20;
),
media: ClientMediaConfig::todo(),
additional_fields: Nothing,
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerMinute, 25, 25;
Knock, PerMinute, 25, 25;
Invite, PerMinute, 25, 25;
MediaDownload, PerSecond, 10, 100;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
},
ConfigPreset::PublicMedium => Self {
target: ConfigFragment {
client: ConfigFragmentFragment {
map: target_client_map,
media: ClientMediaConfig::todo(),
additional_fields: AuthenticationFailures::new(
Timeframe::PerHour(nz(10)),
nz(20),
),
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerHour, 30, 10;
Knock, PerHour, 30, 10;
Invite, PerHour, 30, 10;
MediaDownload, PerMinute, 100, 50;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
global: ConfigFragment {
client: ConfigFragmentFragment {
map: default_restriction_map!(
ClientRestriction;
Registration, PerHour, 5, 20;
Login, PerHour, 25, 15;
// Public servers don't have registration tokens, so let's rate limit
// heavily so that if they revert to a private server again, it's a
// reminder to change their preset.
RegistrationTokenValidity, PerDay, 1, 1;
SendEvent, PerSecond, 10, 100;
Join, PerMinute, 5, 30;
Knock, PerMinute, 5, 30;
Invite, PerMinute, 1, 20;
SendReport, PerHour, 10, 25;
CreateAlias, PerMinute, 1, 50;
MediaDownload, PerSecond, 1, 200;
MediaCreate, PerSecond, 2, 20;
),
media: ClientMediaConfig::todo(),
additional_fields: Nothing,
@ -645,18 +789,77 @@ impl Config {
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
// Join, PerDay, 10, 20;
// Knock, PerDay, 10, 20;
// Invite, PerDay, 10, 20
Join, PerMinute, 25, 25;
Knock, PerMinute, 25, 25;
Invite, PerMinute, 25, 25;
MediaDownload, PerSecond, 10, 100;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
},
ConfigPreset::PublicLarge => Self {
target: ConfigFragment {
client: ConfigFragmentFragment {
map: target_client_map,
media: ClientMediaConfig::todo(),
additional_fields: AuthenticationFailures::new(
Timeframe::PerMinute(nz(1)),
nz(20),
),
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerHour, 90, 30;
Knock, PerHour, 90, 30;
Invite, PerHour, 90, 30;
MediaDownload, PerMinute, 100, 50;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
global: ConfigFragment {
client: ConfigFragmentFragment {
map: default_restriction_map!(
ClientRestriction;
Registration, PerMinute, 4, 25;
Login, PerMinute, 10, 25;
// Public servers don't have registration tokens, so let's rate limit
// heavily so that if they revert to a private server again, it's a
// reminder to change their preset.
RegistrationTokenValidity, PerDay, 1, 1;
SendEvent, PerSecond, 100, 50;
Join, PerSecond, 1, 20;
Knock, PerSecond, 1, 20;
Invite, PerMinute, 10, 40;
SendReport, PerMinute, 5, 25;
CreateAlias, PerMinute, 30, 20;
MediaDownload, PerSecond, 25, 200;
MediaCreate, PerSecond, 10, 30;
),
media: ClientMediaConfig::todo(),
additional_fields: Nothing,
},
federation: ConfigFragmentFragment {
map: default_restriction_map!(
FederationRestriction;
Join, PerSecond, 1, 50;
Knock, PerSecond, 1, 50;
Invite, PerSecond, 1, 50;
MediaDownload, PerSecond, 50, 100;
),
media: FederationMediaConfig::todo(),
additional_fields: Nothing,
},
},
},
ConfigPreset::PrivateMedium => todo!(),
ConfigPreset::PublicMedium => todo!(),
ConfigPreset::PublicLarge => todo!(),
}
}
}

2
docs/configuration/rate-limiting.md
Unescape View File

@ -55,6 +55,8 @@ use up the entire global cap, but also prevent potential spam from being spread
Restrictions are one-to-many mappings to endpoints that have potential for abuse. Like the overrides mentioned above,
they are split into `client` and `federation` restrictions.
<!-- The following is generated by running `cargo xtask generate-docs` -->
#### Client
{{#include ../../target/docs/rate-limiting.md:client-restrictions}}

2
xtask/src/generate_docs.rs
Unescape View File

@ -32,7 +32,7 @@ pub fn run() {
let global = preset_config.global.get(&restriction.into());
let target = preset_config.target.get(&restriction.into());
markdown_text.push_str(&format!(
"| {} | {} | {} | {} | {} |\n",
"| `{}` | {} | {} requests | {} | {} requests |\n",
variant_to_string(&preset),
global.timeframe,
global.burst_capacity,

Write Preview
Loading…
Cancel
Save