russellluo / caddy-ext Goto Github PK

Hi @RussellLuo ,

Is it possible to use your other handlers with the l4 plugin?

With the rate limiter, you are currently very constrained in what you can configure as a rate, because only limited so per second and per minute rates. Would be helpful to have rates like 100r/24h or so.

I am trying to limit /v1/graphql with ip but I am getting CORS error.
If route /v1 is used no error but api limit does not work.
/v1/*, /v1* these are also not working.

Checking on localhost with docker-compose.

Please check below Caddyfile:

:8080 {
  reverse_proxy graphql-engine:8080
  route /v1/graphql {
        rate_limit {remote.ip} 50r/m

        respond 200
    }
}

Hola!

Currently, I want to build Caddy with module flagr on my local, but I face an error when building. The error is

2023/09/07 10:28:51 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/RussellLuo/caddy-ext/flagr github.com/caddyserver/caddy/v2 
panic: internal error: can't find reason for requirement on golang.org/x/[email protected]

goroutine 1 [running]:
cmd/go/internal/modget.(*resolver).updateBuildList.func1({{0xc00097f7d0?, 0xc001108720?}, {0xc00033a360?, 0xc001414a20?}})
        /usr/local/go/src/cmd/go/internal/modget/get.go:1760 +0x114
cmd/go/internal/modget.(*resolver).updateBuildList(0xc000222000, {0xb313d0, 0xc00019a000}, {0x0, 0x0, 0x0})
        /usr/local/go/src/cmd/go/internal/modget/get.go:1765 +0x597
cmd/go/internal/modget.(*resolver).applyUpgrades(0xc000222000, {0xb313d0, 0xc00019a000}, {0x0?, 0x2?, 0x472485?})
        /usr/local/go/src/cmd/go/internal/modget/get.go:1312 +0x105
cmd/go/internal/modget.runGet({0xb313d0, 0xc00019a000}, 0xc0001c4510?, {0xc0001ae160, 0x2, 0x2})
        /usr/local/go/src/cmd/go/internal/modget/get.go:351 +0x45e
main.invoke(0xe2d000, {0xc0001ae130, 0x5, 0x5})
        /usr/local/go/src/cmd/go/main.go:225 +0x34e
main.main()
        /usr/local/go/src/cmd/go/main.go:179 +0x7d1
2023/09/07 10:28:53 [FATAL] exit status 2

Then, I tried to download caddy with module flagr on the web https://caddyserver.com/download?package=github.com%2FRussellLuo%2Fcaddy-ext%2Fflagr, and got the same issue. The error is like the picture below

I try to access the https://golang.org/x/[email protected] is get a response 404 page not found

OS: Linux 5.18.16-zen1-1-zen
Go version: go1.19 linux/amd64

step to reproduce:

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
xcaddy build \
        --with github.com/RussellLuo/caddy-ext/ratelimit

./caddy

error log:

$ ./caddy  
panic: Something in this program imports go4.org/unsafe/assume-no-moving-gc to declare that it assumes a non-moving garbage collector, but your version of go4.org/unsafe/assume-no-moving-gc hasn't been updated to assert that it's safe against the go1.19 runtime. If you want to risk it, run with environment variable ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.19 set. Notably, if go1.19 adds a moving garbage collector, this program is unsafe to use.

goroutine 1 [running]:
go4.org/unsafe/assume-no-moving-gc.init.0()
        go4.org/unsafe/[email protected]/untested.go:25 +0x1f4

Hi thanks for developing this, it is too much useful

I just wondering how can I return a custom response when the limit happens?

Hey there,
I'm trying to protect a basicauth prompt against brute-forcing using rate_limit, but for some reason it just does not trigger. I can curl the path all day long and it will not even once return a 429. Here's my config:

handle_path /test {
  rate_limit {query.id} 1r/m
  basicauth {
    something something
  }
  reverse_proxy ...
 }

any idea why?

@RussellLuo I see you have other Caddy plugins registered, but this one seems to be missing on the Caddy download page.

The issue is very similar to #8 which fixed for go1.19 but not go 1.20:

caddy 
panic: Something in this program imports go4.org/unsafe/assume-no-moving-gc to declare that it assumes a non-moving garbage collector, but your version of go4.org/unsafe/assume-no-moving-gc hasn't been updated to assert that it's safe against the go1.20 runtime. If you want to risk it, run with environment variable ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.20 set. Notably, if go1.20 adds a moving garbage collector, this program is unsafe to use.

goroutine 1 [running]:
go4.org/unsafe/assume-no-moving-gc.init.0()
	go4.org/unsafe/[email protected]/untested.go:25 +0x1ba

There's an IETF draft that defines some HTTP headers Ratelimit-* which let the client know about how many requests they can make. This should be configurable.

There's already a module that does that: https://caddyserver.com/docs/modules/http.handlers.json_parse

There may be some differences though.

Hi there, I'd love to use the layer4 app without giving up on the Caddyfile, since it's YAMLness makes it easy for me to configure.
Could your layer4 extension be used for the following scenario:

caddy server running as docker container, listening on 0.0.0.0443/tcp and 0.0.0.080/udp and 0.0.0.0:443/udp and 0.0.0.0:80/udp

1. Proxy turn.domain.tld UDP & TCP traffic received and sent on port 443 in raw form to a docker container running on port 3389 (requires also tls)
2. Proxy vpn.domain.tld wireguard UDP traffic received and sent on port 443 to a docker container listening on the typical wireguard port (no tls required)
   Proxy other UDP traffic received with further sub-domains to other containers

(all docker containers share the same docker network, so they can be reached via local IP or DNS)

And leave the http reverse proxies as they are already defined?

Could something like this work:

        https_port 443
        http_port 80
        servers tcp/:443 {
                }
        layer4 {
               udp/:443 {
       turn.domain.tld {
               tls
               proxy {
                       to udp/signaling_coturn:3389
               }
        }
       vpn.domain.tld {
               tls
               proxy {
                       to udp/wireguard:51820
               }
        }
        sub.domain1.tld, sub.domain2.tld, sub.domain3.tld, sub.domain4.tld {
               tls
               proxy {
                       to udp/dnsproxy:853
               }
        }
               }
        }
        # normal http servers
sub.domain.tld {
...

When trying with

        servers tcp/0.0.0.0:443 {
                protocols h1 h2
        }
        layer4 {
               udp/0.0.0.0:443 {

I get the following warning:
"layer4 app module: start: listen udp 0.0.0.0:443: bind: address already in use"

Hi,

Is it possible to specify a host/domain for a service?

I'm using the caddy-docker-proxy module in combination with yours with this label:

labels:
        caddy.layer4.:27017.proxy: "{{upstreams 27017}}"

which generates this caddy part:

"layer4": {
      "servers": {
        "srv0": {
          "listen": [":27017"],
          "routes": [
            {
              "handle": [
                {
                  "handler": "proxy",
                  "upstreams": [{ "dial": ["10.0.22.76:27017"] }]
                }
              ]
            }
          ]
        }
      }
    }

But I would like to specify the host/domain, so I could have multiple services running on the same port. Is it possible?

Hello,

First of all, thank you for a great library that helps rate-limiting the number of requests.

Secondly, I'm having an issue with IPv6 addresses. As you might know that a simple /64 block assigned to customer contains millions of IP addresses and simple rate_limit * {remote.ip} 1r/m just doesn't work as that customer could just use another IPv6 address from his own block.

Do you have any suggestions or maybe some kind of a feature might be implemented to solve rate-limiting for the IPv6 by blocks as well?

Thanks!

Hi, pls explaine for me. I want use rate limit for my URL https://site.dom/login .

And use
`
"host": ["*.site.dom"]
}
],
"handle": [
{
"handler": "rate_limit",
"key": "{path.zak}",
"rate": "1r/m",
"zone_size": 10000,
"reject_status": 429
},
and all time get response code 200 .
I expercted get 429 code during repeate of requests.

Hello,

With the release of Go 1.19, there is a new update for go4.org/unsafe/assume-no-moving-gc, which the Ratelimit module uses.

This has been updated to in 5680eab, however, there is no new tagged version. As a result, Caddy's build server uses an earlier version which panics, making it impossible to upgrade unless the Ratelimit module is removed, then re-added using the Master branch after downloading an upgraded version via caddy upgrade.

It would be great if you could release a new version of the Ratelimit plugin so that this could be avoided.

Much thanks in advance ☺️

Thanks for writing & maintaining the ratelimit plugin!

How do I configure a rate limit per /32 IPv4 & /64 IPv6 subnet, respectively?

what would be the syntax for match ssh traffic on :443 and proxy it to another host:port ?

Hello there,

Any idea why I'm getting the error below?

Error during parsing: parsing caddyfile tokens for 'rate_limit': /etc/caddy/Caddyfile:25 -
Error during parsing: Wrong argument count or unexpected line ending after '{http.request.uri.query.id}'

localhost:8080 {
    route /foo {
        rate_limit {query.id} 2r/m

        respond 200
    }
}

This is my Dockerfile

FROM caddy:2.6.2-builder-alpine as builder

RUN xcaddy build \
    --with github.com/RussellLuo/caddy-ext/ratelimit

FROM caddy:2.6.2-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

and this is my docker-compose.yml

version: "3.7"

services:
  caddy:
    logging:
      options:
        max-size: "500m"
        max-file: "5"

    build: .
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
volumes:
  caddy_data:
  caddy_config: