mirror of
https://github.com/getnamingo/registry.git
synced 2025-07-21 10:06:05 +02:00
Added optional rate limiting for services
This commit is contained in:
Pinga
parent
b0f63ffb25
commit
b3113da4f4
15 changed files with 110 additions and 13 deletions
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
"require": {
|
"require": {
|
||||||
"monolog/monolog": "^3.5"
|
"monolog/monolog": "^3.5",
|
||||||
|
"namingo/rately": "^0.1.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,5 +6,8 @@ return [
|
||||||
'db_port' => 3306,
|
'db_port' => 3306,
|
||||||
'db_database' => 'registry',
|
'db_database' => 'registry',
|
||||||
'db_username' => 'your_username',
|
'db_username' => 'your_username',
|
||||||
'db_password' => 'your_password'
|
'db_password' => 'your_password',
|
||||||
|
'rately' => false,
|
||||||
|
'limit' => 1000,
|
||||||
|
'period' => 60,
|
||||||
];
|
];
|
||||||
|
|
@ -40,3 +40,10 @@ function setupLogger($logFilePath, $channelName = 'app') {
|
||||||
|
|
||||||
return $log;
|
return $log;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isIpWhitelisted($ip, $pdo) {
|
||||||
|
$stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
|
||||||
|
$stmt->execute([$ip]);
|
||||||
|
$count = $stmt->fetchColumn();
|
||||||
|
return $count > 0;
|
||||||
|
}
|
||||||
|
|
@ -5,6 +5,7 @@ if (!extension_loaded('swoole')) {
|
||||||
}
|
}
|
||||||
|
|
||||||
use Swoole\Server;
|
use Swoole\Server;
|
||||||
|
use Namingo\Rately\Rately;
|
||||||
|
|
||||||
$c = require_once 'config.php';
|
$c = require_once 'config.php';
|
||||||
require_once 'helpers.php';
|
require_once 'helpers.php';
|
||||||
|
|
@ -43,6 +44,8 @@ $server->set([
|
||||||
'open_eof_check' => true,
|
'open_eof_check' => true,
|
||||||
'package_eof' => "\r\n"
|
'package_eof' => "\r\n"
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
$rateLimiter = new Rately();
|
||||||
$log->info('server started.');
|
$log->info('server started.');
|
||||||
|
|
||||||
// Register a callback to handle incoming connections
|
// Register a callback to handle incoming connections
|
||||||
|
|
@ -51,21 +54,35 @@ $server->on('connect', function ($server, $fd) use ($log) {
|
||||||
});
|
});
|
||||||
|
|
||||||
// Register a callback to handle incoming requests
|
// Register a callback to handle incoming requests
|
||||||
$server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool, $log) {
|
$server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool, $log, $rateLimiter) {
|
||||||
// Get a PDO connection from the pool
|
// Get a PDO connection from the pool
|
||||||
$pdo = $pool->get();
|
$pdo = $pool->get();
|
||||||
$domain = trim($data);
|
$domain = trim($data);
|
||||||
|
|
||||||
|
$clientInfo = $server->getClientInfo($fd);
|
||||||
|
$remoteAddr = $clientInfo['remote_ip'];
|
||||||
|
|
||||||
|
if (!isIpWhitelisted($remoteAddr, $pdo)) {
|
||||||
|
if (($c['rately'] == true) && ($rateLimiter->isRateLimited('das', $remoteAddr, $c['limit'], $c['period']))) {
|
||||||
|
$log->error('rate limit exceeded for ' . $remoteAddr);
|
||||||
|
$server->send($fd, "rate limit exceeded. Please try again later");
|
||||||
|
$server->close($fd);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Perform the DAS lookup
|
// Perform the DAS lookup
|
||||||
try {
|
try {
|
||||||
// Validate and sanitize the domain name
|
// Validate and sanitize the domain name
|
||||||
if (!$domain) {
|
if (!$domain) {
|
||||||
$server->send($fd, "2");
|
$server->send($fd, "2");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
if (strlen($domain) > 68) {
|
if (strlen($domain) > 68) {
|
||||||
$server->send($fd, "2");
|
$server->send($fd, "2");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
// Convert to Punycode if the domain is not in ASCII
|
// Convert to Punycode if the domain is not in ASCII
|
||||||
if (!mb_detect_encoding($domain, 'ASCII', true)) {
|
if (!mb_detect_encoding($domain, 'ASCII', true)) {
|
||||||
|
|
@ -73,6 +90,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
if ($convertedDomain === false) {
|
if ($convertedDomain === false) {
|
||||||
$server->send($fd, "2");
|
$server->send($fd, "2");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
} else {
|
} else {
|
||||||
$domain = $convertedDomain;
|
$domain = $convertedDomain;
|
||||||
}
|
}
|
||||||
|
|
@ -80,6 +98,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
if (!preg_match('/^(?:(xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){1,3}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $domain)) {
|
if (!preg_match('/^(?:(xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){1,3}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $domain)) {
|
||||||
$server->send($fd, "2");
|
$server->send($fd, "2");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
$domain = strtoupper($domain);
|
$domain = strtoupper($domain);
|
||||||
|
|
||||||
|
|
@ -171,7 +190,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
|
|
||||||
// Register a callback to handle client disconnections
|
// Register a callback to handle client disconnections
|
||||||
$server->on('close', function ($server, $fd) use ($log) {
|
$server->on('close', function ($server, $fd) use ($log) {
|
||||||
$log->info('client ' . $fd . ' connected.');
|
$log->info('client ' . $fd . ' disconnected.');
|
||||||
});
|
});
|
||||||
|
|
||||||
// Start the server
|
// Start the server
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@
|
||||||
"jeremykendall/php-domain-parser": "^6.3",
|
"jeremykendall/php-domain-parser": "^6.3",
|
||||||
"matthiasmullie/scrapbook": "^1.5",
|
"matthiasmullie/scrapbook": "^1.5",
|
||||||
"guzzlehttp/guzzle": "^7.8",
|
"guzzlehttp/guzzle": "^7.8",
|
||||||
"league/flysystem": "^3.23"
|
"league/flysystem": "^3.23",
|
||||||
|
"namingo/rately": "^0.1.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,4 +15,7 @@ return [
|
||||||
'ssl_cert' => '',
|
'ssl_cert' => '',
|
||||||
'ssl_key' => '',
|
'ssl_key' => '',
|
||||||
'test_tlds' => '.test,.com.test',
|
'test_tlds' => '.test,.com.test',
|
||||||
|
'rately' => false,
|
||||||
|
'limit' => 1000,
|
||||||
|
'period' => 60,
|
||||||
];
|
];
|
||||||
|
|
@ -20,6 +20,7 @@ use Swoole\Table;
|
||||||
use Swoole\Timer;
|
use Swoole\Timer;
|
||||||
use Swoole\Coroutine\Server;
|
use Swoole\Coroutine\Server;
|
||||||
use Swoole\Coroutine\Server\Connection;
|
use Swoole\Coroutine\Server\Connection;
|
||||||
|
use Namingo\Rately\Rately;
|
||||||
|
|
||||||
$table = new Table(1024);
|
$table = new Table(1024);
|
||||||
$table->column('clid', Table::TYPE_STRING, 64);
|
$table->column('clid', Table::TYPE_STRING, 64);
|
||||||
|
|
@ -64,9 +65,11 @@ $server->set([
|
||||||
'ssl_protocols' => SWOOLE_SSL_TLSv1_2 | SWOOLE_SSL_TLSv1_3,
|
'ssl_protocols' => SWOOLE_SSL_TLSv1_2 | SWOOLE_SSL_TLSv1_3,
|
||||||
'ssl_ciphers' => 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384',
|
'ssl_ciphers' => 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384',
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
$rateLimiter = new Rately();
|
||||||
$log->info('Namingo EPP server started');
|
$log->info('Namingo EPP server started');
|
||||||
|
|
||||||
$server->handle(function (Connection $conn) use ($table, $pool, $c, $log, $permittedIPsTable) {
|
$server->handle(function (Connection $conn) use ($table, $pool, $c, $log, $permittedIPsTable, $rateLimiter) {
|
||||||
// Get the client information
|
// Get the client information
|
||||||
$clientInfo = $conn->exportSocket()->getpeername();
|
$clientInfo = $conn->exportSocket()->getpeername();
|
||||||
$clientIP = $clientInfo['address'] ?? '';
|
$clientIP = $clientInfo['address'] ?? '';
|
||||||
|
|
@ -78,6 +81,12 @@ $server->handle(function (Connection $conn) use ($table, $pool, $c, $log, $permi
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (($c['rately'] == true) && ($rateLimiter->isRateLimited('epp', $clientIP, $c['limit'], $c['period']))) {
|
||||||
|
$log->error('rate limit exceeded for ' . $clientIP);
|
||||||
|
$conn->close();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$log->info('new client from ' . $clientIP . ' connected');
|
$log->info('new client from ' . $clientIP . ' connected');
|
||||||
sendGreeting($conn);
|
sendGreeting($conn);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
"require": {
|
"require": {
|
||||||
"monolog/monolog": "^3.5"
|
"monolog/monolog": "^3.5",
|
||||||
|
"namingo/rately": "^0.1.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -10,4 +10,7 @@ return [
|
||||||
'roid' => 'XX',
|
'roid' => 'XX',
|
||||||
'registry_url' => 'https://example.com/rdap-terms',
|
'registry_url' => 'https://example.com/rdap-terms',
|
||||||
'rdap_url' => 'https://rdap.example.com',
|
'rdap_url' => 'https://rdap.example.com',
|
||||||
|
'rately' => false,
|
||||||
|
'limit' => 1000,
|
||||||
|
'period' => 60,
|
||||||
];
|
];
|
||||||
|
|
@ -92,3 +92,10 @@ function mapContactToVCard($contactDetails, $role, $c) {
|
||||||
],
|
],
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isIpWhitelisted($ip, $pdo) {
|
||||||
|
$stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
|
||||||
|
$stmt->execute([$ip]);
|
||||||
|
$count = $stmt->fetchColumn();
|
||||||
|
return $count > 0;
|
||||||
|
}
|
||||||
|
|
@ -7,6 +7,7 @@ if (!extension_loaded('swoole')) {
|
||||||
use Swoole\Http\Server;
|
use Swoole\Http\Server;
|
||||||
use Swoole\Http\Request;
|
use Swoole\Http\Request;
|
||||||
use Swoole\Http\Response;
|
use Swoole\Http\Response;
|
||||||
|
use Namingo\Rately\Rately;
|
||||||
|
|
||||||
$c = require_once 'config.php';
|
$c = require_once 'config.php';
|
||||||
require_once 'helpers.php';
|
require_once 'helpers.php';
|
||||||
|
|
@ -44,13 +45,25 @@ $http->set([
|
||||||
'reload_async' => true,
|
'reload_async' => true,
|
||||||
'http_compression' => true
|
'http_compression' => true
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
$rateLimiter = new Rately();
|
||||||
$log->info('server started.');
|
$log->info('server started.');
|
||||||
|
|
||||||
// Handle incoming HTTP requests
|
// Handle incoming HTTP requests
|
||||||
$http->on('request', function ($request, $response) use ($c, $pool, $log) {
|
$http->on('request', function ($request, $response) use ($c, $pool, $log, $rateLimiter) {
|
||||||
// Get a PDO connection from the pool
|
// Get a PDO connection from the pool
|
||||||
$pdo = $pool->get();
|
$pdo = $pool->get();
|
||||||
|
|
||||||
|
$remoteAddr = $request->server['remote_addr'];
|
||||||
|
if (!isIpWhitelisted($remoteAddr, $pdo)) {
|
||||||
|
if (($c['rately'] == true) && ($rateLimiter->isRateLimited('rdap', $remoteAddr, $c['limit'], $c['period']))) {
|
||||||
|
$log->error('rate limit exceeded for ' . $remoteAddr);
|
||||||
|
$response->header('Content-Type', 'application/json');
|
||||||
|
$response->status(429);
|
||||||
|
$response->end(json_encode(['error' => 'Rate limit exceeded. Please try again later.']));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// Extract the request path
|
// Extract the request path
|
||||||
$requestPath = $request->server['request_uri'];
|
$requestPath = $request->server['request_uri'];
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
"require": {
|
"require": {
|
||||||
"monolog/monolog": "^3.5"
|
"monolog/monolog": "^3.5",
|
||||||
|
"namingo/rately": "^0.1.0"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -9,4 +9,7 @@ return [
|
||||||
'db_password' => 'your_password',
|
'db_password' => 'your_password',
|
||||||
'privacy' => false,
|
'privacy' => false,
|
||||||
'roid' => 'XX',
|
'roid' => 'XX',
|
||||||
|
'rately' => false,
|
||||||
|
'limit' => 25,
|
||||||
|
'period' => 60,
|
||||||
];
|
];
|
||||||
|
|
@ -52,3 +52,10 @@ function parseQuery($data) {
|
||||||
return ['type' => 'domain', 'data' => $data];
|
return ['type' => 'domain', 'data' => $data];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isIpWhitelisted($ip, $pdo) {
|
||||||
|
$stmt = $pdo->prepare("SELECT COUNT(*) FROM registrar_whitelist WHERE addr = ?");
|
||||||
|
$stmt->execute([$ip]);
|
||||||
|
$count = $stmt->fetchColumn();
|
||||||
|
return $count > 0;
|
||||||
|
}
|
||||||
|
|
@ -5,6 +5,7 @@ if (!extension_loaded('swoole')) {
|
||||||
}
|
}
|
||||||
|
|
||||||
use Swoole\Server;
|
use Swoole\Server;
|
||||||
|
use Namingo\Rately\Rately;
|
||||||
|
|
||||||
$c = require_once 'config.php';
|
$c = require_once 'config.php';
|
||||||
require_once 'helpers.php';
|
require_once 'helpers.php';
|
||||||
|
|
@ -43,6 +44,8 @@ $server->set([
|
||||||
'open_eof_check' => true,
|
'open_eof_check' => true,
|
||||||
'package_eof' => "\r\n"
|
'package_eof' => "\r\n"
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
$rateLimiter = new Rately();
|
||||||
$log->info('server started.');
|
$log->info('server started.');
|
||||||
|
|
||||||
// Register a callback to handle incoming connections
|
// Register a callback to handle incoming connections
|
||||||
|
|
@ -51,7 +54,7 @@ $server->on('connect', function ($server, $fd) use ($log) {
|
||||||
});
|
});
|
||||||
|
|
||||||
// Register a callback to handle incoming requests
|
// Register a callback to handle incoming requests
|
||||||
$server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool, $log) {
|
$server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool, $log, $rateLimiter) {
|
||||||
// Get a PDO connection from the pool
|
// Get a PDO connection from the pool
|
||||||
$pdo = $pool->get();
|
$pdo = $pool->get();
|
||||||
$privacy = $c['privacy'];
|
$privacy = $c['privacy'];
|
||||||
|
|
@ -59,6 +62,18 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
$queryType = $parsedQuery['type'];
|
$queryType = $parsedQuery['type'];
|
||||||
$queryData = $parsedQuery['data'];
|
$queryData = $parsedQuery['data'];
|
||||||
|
|
||||||
|
$clientInfo = $server->getClientInfo($fd);
|
||||||
|
$remoteAddr = $clientInfo['remote_ip'];
|
||||||
|
|
||||||
|
if (!isIpWhitelisted($remoteAddr, $pdo)) {
|
||||||
|
if (($c['rately'] == true) && ($rateLimiter->isRateLimited('whois', $remoteAddr, $c['limit'], $c['period']))) {
|
||||||
|
$log->error('rate limit exceeded for ' . $remoteAddr);
|
||||||
|
$server->send($fd, "rate limit exceeded. Please try again later");
|
||||||
|
$server->close($fd);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Handle the WHOIS query
|
// Handle the WHOIS query
|
||||||
try {
|
try {
|
||||||
switch ($queryType) {
|
switch ($queryType) {
|
||||||
|
|
@ -69,10 +84,12 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
if (!$domain) {
|
if (!$domain) {
|
||||||
$server->send($fd, "please enter a domain name");
|
$server->send($fd, "please enter a domain name");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
if (strlen($domain) > 68) {
|
if (strlen($domain) > 68) {
|
||||||
$server->send($fd, "domain name is too long");
|
$server->send($fd, "domain name is too long");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
// Convert to Punycode if the domain is not in ASCII
|
// Convert to Punycode if the domain is not in ASCII
|
||||||
if (!mb_detect_encoding($domain, 'ASCII', true)) {
|
if (!mb_detect_encoding($domain, 'ASCII', true)) {
|
||||||
|
|
@ -80,6 +97,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
if ($convertedDomain === false) {
|
if ($convertedDomain === false) {
|
||||||
$server->send($fd, "Domain conversion to Punycode failed");
|
$server->send($fd, "Domain conversion to Punycode failed");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
} else {
|
} else {
|
||||||
$domain = $convertedDomain;
|
$domain = $convertedDomain;
|
||||||
}
|
}
|
||||||
|
|
@ -87,6 +105,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
if (!preg_match('/^(?:(xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){1,3}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $domain)) {
|
if (!preg_match('/^(?:(xn--[a-zA-Z0-9-]{1,63}|[a-zA-Z0-9-]{1,63})\.){1,3}(xn--[a-zA-Z0-9-]{2,63}|[a-zA-Z]{2,63})$/', $domain)) {
|
||||||
$server->send($fd, "domain name invalid format");
|
$server->send($fd, "domain name invalid format");
|
||||||
$server->close($fd);
|
$server->close($fd);
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
$domain = strtoupper($domain);
|
$domain = strtoupper($domain);
|
||||||
|
|
||||||
|
|
@ -670,7 +689,7 @@ $server->on('receive', function ($server, $fd, $reactorId, $data) use ($c, $pool
|
||||||
|
|
||||||
// Register a callback to handle client disconnections
|
// Register a callback to handle client disconnections
|
||||||
$server->on('close', function ($server, $fd) use ($log) {
|
$server->on('close', function ($server, $fd) use ($log) {
|
||||||
$log->info('client ' . $fd . ' connected.');
|
$log->info('client ' . $fd . ' disconnected.');
|
||||||
});
|
});
|
||||||
|
|
||||||
// Start the server
|
// Start the server
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue