Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fine grained rate-limits #80

Open
jcgruenhage opened this issue Apr 7, 2023 · 2 comments · May be fixed by #85
Open

Fine grained rate-limits #80

jcgruenhage opened this issue Apr 7, 2023 · 2 comments · May be fixed by #85

Comments

@jcgruenhage
Copy link
Contributor

jcgruenhage commented Apr 7, 2023
edited
Loading

acmed currently allows setting rate limits on endpoints, that specify how many
requests can be made per interval. It does not take the kind of request that is
made to the endpoint into consideration, which means that the rate limits
actually set by CAs (see https://letsencrypt.org/docs/rate-limits/) can not
really be represented by this.

My suggestion is to extend the current mechanism by giving rate-limits an
optional scope. This scope can be the path in the HTTP request, a path prefix,
an ACME resource (as listed in the directory response), etc. A request is then
only blocked, if there is a currently blocking rate-limit on that endpoint, that
matches this request. The specifics on how to model that and how to expose the
configuration for this aren't trivial, but I think if at least path (prefixes)
and ACME resources can be used as a scope, a few important rate limits can now
be set properly, that couldn't be set before, like the one for the newOrder
resource (300/3h), a shared one for the ACME resources newNonce, newAccount,
newOrder and revokeCert (20/1s), and the one for /directory
and anything under /acme (40/1s).

Even after that, there is a bunch of limits that this doesn't catch, but it'd be
a big improvement over the status quo.
@jcgruenhage jcgruenhage mentioned this issue Apr 7, 2023
Open
@jcgruenhage
Copy link
Contributor Author

I've started looking at this from an implementation side for a bit here. Combining multiple rate-limits is a bit tricky apparently, looking at different implementations (like https://lib.rs/crates/htb and https://lib.rs/crates/governor) they either don't implement them (see boinkor-net/governor#156), or not in a way that's flexible enough for us (htb says that buckets need fixed parents, which makes configuring this a lot less versatile than what I've described above).

I'll take a deeper look at some point, but I won't continue here tonight.

@jcgruenhage
Copy link
Contributor Author

Sleeping over it: Maybe it makes more sense to go for an implementation that somewhat works first before going for an implementation that works perfectly. For now, that will just mean that I'll be waiting for a positive outcome on each of the limits that match a request in sequence, ordered by the refill rate (from slow to fast), which is a good enough approximation IMO.

@jcgruenhage jcgruenhage linked a pull request Apr 9, 2023 that will close this issue
Draft
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: Allow scoping rate-limits to specific resources and paths jcgruenhage/acmed
1 participant
@jcgruenhage