taiars/nora
1
0
Fork 0
mirror of https://github.com/getnora-io/nora.git synced 2026-04-12 13:50:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add configurable rate limiting

Browse Source 
Rate limits now configurable via config.toml and ENV variables:
- New [rate_limit] config section with auth/upload/general settings
- ENV: NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}
- Rate limit configuration logged at startup
- Functions accept &RateLimitConfig instead of hardcoded values
This commit is contained in:
DevITWay
2026-01-30 08:20:50 +00:00
parent 278275978c
commit 73d28ea80b
5 changed files with 235 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
CHANGELOG.md
View File

@@ -4,6 +4,28 @@ All notable changes to NORA will be documented in this file.
--- ---
## [0.3.0] - 2026-01-30
### Added
#### Configurable Rate Limiting
- Rate limits now configurable via `config.toml` and environment variables
- New config section `[rate_limit]` with 6 parameters:
- `auth_rps` / `auth_burst` - Authentication endpoints (brute-force protection)
- `upload_rps` / `upload_burst` - Upload endpoints (Docker push, etc.)
- `general_rps` / `general_burst` - General API endpoints
- Environment variables: `NORA_RATE_LIMIT_{AUTH|UPLOAD|GENERAL}_{RPS|BURST}`
- Rate limit configuration logged at startup
### Changed
- Rate limiting functions now accept `&RateLimitConfig` parameter
- Improved error messages with `.expect()` instead of `.unwrap()`
### Fixed
- Rate limiting was hardcoded in v0.2.0, now user-configurable
---
## [0.2.0] - 2026-01-25 ## [0.2.0] - 2026-01-25
### Added ### Added

17
README.md
View File

@@ -105,6 +105,12 @@ nora migrate --from local --to s3
| `NORA_STORAGE_S3_URL` | - | S3 endpoint URL | | `NORA_STORAGE_S3_URL` | - | S3 endpoint URL |
| `NORA_STORAGE_BUCKET` | registry | S3 bucket name | | `NORA_STORAGE_BUCKET` | registry | S3 bucket name |
| `NORA_AUTH_ENABLED` | false | Enable authentication | | `NORA_AUTH_ENABLED` | false | Enable authentication |
| `NORA_RATE_LIMIT_AUTH_RPS` | 1 | Auth requests per second |
| `NORA_RATE_LIMIT_AUTH_BURST` | 5 | Auth burst size |
| `NORA_RATE_LIMIT_UPLOAD_RPS` | 200 | Upload requests per second |
| `NORA_RATE_LIMIT_UPLOAD_BURST` | 500 | Upload burst size |
| `NORA_RATE_LIMIT_GENERAL_RPS` | 100 | General requests per second |
| `NORA_RATE_LIMIT_GENERAL_BURST` | 200 | General burst size |
### config.toml ### config.toml
@@ -120,6 +126,17 @@ path = "data/storage"
[auth] [auth]
enabled = false enabled = false
htpasswd_file = "users.htpasswd" htpasswd_file = "users.htpasswd"
[rate_limit]
# Strict limits for authentication (brute-force protection)
auth_rps = 1
auth_burst = 5
# High limits for CI/CD upload workloads
upload_rps = 200
upload_burst = 500
# Balanced limits for general API endpoints
general_rps = 100
general_burst = 200
``` ```
## Endpoints ## Endpoints

130
nora-registry/src/config.rs
View File

@@ -14,6 +14,8 @@ pub struct Config {
pub pypi: PypiConfig, pub pypi: PypiConfig,
#[serde(default)] #[serde(default)]
pub auth: AuthConfig, pub auth: AuthConfig,
#[serde(default)]
pub rate_limit: RateLimitConfig,
} }
#[derive(Debug, Clone, Serialize, Deserialize)] #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -137,6 +139,64 @@ impl Default for AuthConfig {
} }
} }
/// Rate limiting configuration
///
/// Controls request rate limits for different endpoint types.
///
/// # Example
/// ```toml
/// [rate_limit]
/// auth_rps = 1
/// auth_burst = 5
/// upload_rps = 500
/// upload_burst = 1000
/// general_rps = 100
/// general_burst = 200
/// ```
///
/// # Environment Variables
/// - `NORA_RATE_LIMIT_AUTH_RPS` - Auth requests per second
/// - `NORA_RATE_LIMIT_AUTH_BURST` - Auth burst size
/// - `NORA_RATE_LIMIT_UPLOAD_RPS` - Upload requests per second
/// - `NORA_RATE_LIMIT_UPLOAD_BURST` - Upload burst size
/// - `NORA_RATE_LIMIT_GENERAL_RPS` - General requests per second
/// - `NORA_RATE_LIMIT_GENERAL_BURST` - General burst size
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RateLimitConfig {
#[serde(default = "default_auth_rps")]
pub auth_rps: u64,
#[serde(default = "default_auth_burst")]
pub auth_burst: u32,
#[serde(default = "default_upload_rps")]
pub upload_rps: u64,
#[serde(default = "default_upload_burst")]
pub upload_burst: u32,
#[serde(default = "default_general_rps")]
pub general_rps: u64,
#[serde(default = "default_general_burst")]
pub general_burst: u32,
}
fn default_auth_rps() -> u64 { 1 }
fn default_auth_burst() -> u32 { 5 }
fn default_upload_rps() -> u64 { 200 }
fn default_upload_burst() -> u32 { 500 }
fn default_general_rps() -> u64 { 100 }
fn default_general_burst() -> u32 { 200 }
impl Default for RateLimitConfig {
fn default() -> Self {
Self {
auth_rps: default_auth_rps(),
auth_burst: default_auth_burst(),
upload_rps: default_upload_rps(),
upload_burst: default_upload_burst(),
general_rps: default_general_rps(),
general_burst: default_general_burst(),
}
}
}
impl Config { impl Config {
/// Load configuration with priority: ENV > config.toml > defaults /// Load configuration with priority: ENV > config.toml > defaults
pub fn load() -> Self { pub fn load() -> Self {
@@ -223,6 +283,38 @@ impl Config {
if let Ok(val) = env::var("NORA_AUTH_TOKEN_STORAGE") { if let Ok(val) = env::var("NORA_AUTH_TOKEN_STORAGE") {
self.auth.token_storage = val; self.auth.token_storage = val;
} }
// Rate limit config
if let Ok(val) = env::var("NORA_RATE_LIMIT_AUTH_RPS") {
if let Ok(v) = val.parse::<u64>() {
self.rate_limit.auth_rps = v;
}
}
if let Ok(val) = env::var("NORA_RATE_LIMIT_AUTH_BURST") {
if let Ok(v) = val.parse::<u32>() {
self.rate_limit.auth_burst = v;
}
}
if let Ok(val) = env::var("NORA_RATE_LIMIT_UPLOAD_RPS") {
if let Ok(v) = val.parse::<u64>() {
self.rate_limit.upload_rps = v;
}
}
if let Ok(val) = env::var("NORA_RATE_LIMIT_UPLOAD_BURST") {
if let Ok(v) = val.parse::<u32>() {
self.rate_limit.upload_burst = v;
}
}
if let Ok(val) = env::var("NORA_RATE_LIMIT_GENERAL_RPS") {
if let Ok(v) = val.parse::<u64>() {
self.rate_limit.general_rps = v;
}
}
if let Ok(val) = env::var("NORA_RATE_LIMIT_GENERAL_BURST") {
if let Ok(v) = val.parse::<u32>() {
self.rate_limit.general_burst = v;
}
}
} }
} }
@@ -243,6 +335,44 @@ impl Default for Config {
npm: NpmConfig::default(), npm: NpmConfig::default(),
pypi: PypiConfig::default(), pypi: PypiConfig::default(),
auth: AuthConfig::default(), auth: AuthConfig::default(),
rate_limit: RateLimitConfig::default(),
} }
} }
} }
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_rate_limit_default() {
let config = RateLimitConfig::default();
assert_eq!(config.auth_rps, 1);
assert_eq!(config.auth_burst, 5);
assert_eq!(config.upload_rps, 200);
assert_eq!(config.upload_burst, 500);
assert_eq!(config.general_rps, 100);
assert_eq!(config.general_burst, 200);
}
#[test]
fn test_rate_limit_from_toml() {
let toml = r#"
[server]
host = "127.0.0.1"
port = 4000
[storage]
mode = "local"
[rate_limit]
auth_rps = 10
upload_burst = 1000
"#;
let config: Config = toml::from_str(toml).unwrap();
assert_eq!(config.rate_limit.auth_rps, 10);
assert_eq!(config.rate_limit.upload_burst, 1000);
assert_eq!(config.rate_limit.auth_burst, 5); // default
}
}

22
nora-registry/src/main.rs
View File

@@ -179,6 +179,17 @@ fn init_logging(json_format: bool) {
async fn run_server(config: Config, storage: Storage) { async fn run_server(config: Config, storage: Storage) {
let start_time = Instant::now(); let start_time = Instant::now();
// Log rate limiting configuration
info!(
auth_rps = config.rate_limit.auth_rps,
auth_burst = config.rate_limit.auth_burst,
upload_rps = config.rate_limit.upload_rps,
upload_burst = config.rate_limit.upload_burst,
general_rps = config.rate_limit.general_rps,
general_burst = config.rate_limit.general_burst,
"Rate limiting configured"
);
// Load auth if enabled // Load auth if enabled
let auth = if config.auth.enabled { let auth = if config.auth.enabled {
let path = Path::new(&config.auth.htpasswd_file); let path = Path::new(&config.auth.htpasswd_file);
@@ -205,6 +216,11 @@ async fn run_server(config: Config, storage: Storage) {
None None
}; };
// Create rate limiters before moving config to state
let auth_limiter = rate_limit::auth_rate_limiter(&config.rate_limit);
let upload_limiter = rate_limit::upload_rate_limiter(&config.rate_limit);
let general_limiter = rate_limit::general_rate_limiter(&config.rate_limit);
let state = Arc::new(AppState { let state = Arc::new(AppState {
storage, storage,
config, config,
@@ -216,7 +232,7 @@ async fn run_server(config: Config, storage: Storage) {
}); });
// Token routes with strict rate limiting (brute-force protection) // Token routes with strict rate limiting (brute-force protection)
let auth_routes = auth::token_routes().layer(rate_limit::auth_rate_limiter()); let auth_routes = auth::token_routes().layer(auth_limiter);
// Registry routes with upload rate limiting // Registry routes with upload rate limiting
let registry_routes = Router::new() let registry_routes = Router::new()
@@ -225,7 +241,7 @@ async fn run_server(config: Config, storage: Storage) {
.merge(registry::npm_routes()) .merge(registry::npm_routes())
.merge(registry::cargo_routes()) .merge(registry::cargo_routes())
.merge(registry::pypi_routes()) .merge(registry::pypi_routes())
.layer(rate_limit::upload_rate_limiter()); .layer(upload_limiter);
// Routes WITHOUT rate limiting (health, metrics, UI) // Routes WITHOUT rate limiting (health, metrics, UI)
let public_routes = Router::new() let public_routes = Router::new()
@@ -238,7 +254,7 @@ async fn run_server(config: Config, storage: Storage) {
let rate_limited_routes = Router::new() let rate_limited_routes = Router::new()
.merge(auth_routes) .merge(auth_routes)
.merge(registry_routes) .merge(registry_routes)
.layer(rate_limit::general_rate_limiter()); .layer(general_limiter);
let app = Router::new() let app = Router::new()
.merge(public_routes) .merge(public_routes)

104
nora-registry/src/rate_limit.rs
View File

@@ -1,4 +1,3 @@
#![allow(dead_code)]
//! Rate limiting configuration and middleware //! Rate limiting configuration and middleware
//! //!
//! Provides rate limiting to protect against: //! Provides rate limiting to protect against:
@@ -6,96 +5,69 @@
//! - DoS attacks on upload endpoints //! - DoS attacks on upload endpoints
//! - General API abuse //! - General API abuse
use crate::config::RateLimitConfig;
use tower_governor::governor::GovernorConfigBuilder; use tower_governor::governor::GovernorConfigBuilder;
/// Rate limit configuration
#[derive(Debug, Clone)]
pub struct RateLimitConfig {
/// Requests per second for auth endpoints (strict)
pub auth_rps: u32,
/// Burst size for auth endpoints
pub auth_burst: u32,
/// Requests per second for upload endpoints
pub upload_rps: u32,
/// Burst size for upload endpoints
pub upload_burst: u32,
/// Requests per second for general endpoints (lenient)
pub general_rps: u32,
/// Burst size for general endpoints
pub general_burst: u32,
}
impl Default for RateLimitConfig {
fn default() -> Self {
Self {
auth_rps: 1, // 1 req/sec for auth (strict)
auth_burst: 5, // Allow burst of 5
upload_rps: 200, // 200 req/sec for uploads (Docker needs high parallelism)
upload_burst: 500, // Allow burst of 500
general_rps: 100, // 100 req/sec general
general_burst: 200, // Allow burst of 200
}
}
}
/// Create rate limiter layer for auth endpoints (strict protection against brute-force) /// Create rate limiter layer for auth endpoints (strict protection against brute-force)
/// pub fn auth_rate_limiter(
/// Default: 1 request per second, burst of 5 config: &RateLimitConfig,
pub fn auth_rate_limiter() -> tower_governor::GovernorLayer< ) -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor, tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware, governor::middleware::StateInformationMiddleware,
axum::body::Body, axum::body::Body,
> { > {
let config = GovernorConfigBuilder::default() let gov_config = GovernorConfigBuilder::default()
.per_second(1) .per_second(config.auth_rps)
.burst_size(5) .burst_size(config.auth_burst)
.use_headers() .use_headers()
.finish() .finish()
.unwrap(); .expect("Failed to build auth rate limiter");
tower_governor::GovernorLayer::new(config) tower_governor::GovernorLayer::new(gov_config)
} }
/// Create rate limiter layer for upload endpoints /// Create rate limiter layer for upload endpoints
/// ///
/// Default: 200 requests per second, burst of 500
/// High limits to accommodate Docker client's aggressive parallel layer uploads /// High limits to accommodate Docker client's aggressive parallel layer uploads
pub fn upload_rate_limiter() -> tower_governor::GovernorLayer< pub fn upload_rate_limiter(
config: &RateLimitConfig,
) -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor, tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware, governor::middleware::StateInformationMiddleware,
axum::body::Body, axum::body::Body,
> { > {
let config = GovernorConfigBuilder::default() let gov_config = GovernorConfigBuilder::default()
.per_second(200) .per_second(config.upload_rps)
.burst_size(500) .burst_size(config.upload_burst)
.use_headers() .use_headers()
.finish() .finish()
.unwrap(); .expect("Failed to build upload rate limiter");
tower_governor::GovernorLayer::new(config) tower_governor::GovernorLayer::new(gov_config)
} }
/// Create rate limiter layer for general endpoints (lenient) /// Create rate limiter layer for general endpoints (lenient)
/// pub fn general_rate_limiter(
/// Default: 100 requests per second, burst of 200 config: &RateLimitConfig,
pub fn general_rate_limiter() -> tower_governor::GovernorLayer< ) -> tower_governor::GovernorLayer<
tower_governor::key_extractor::PeerIpKeyExtractor, tower_governor::key_extractor::PeerIpKeyExtractor,
governor::middleware::StateInformationMiddleware, governor::middleware::StateInformationMiddleware,
axum::body::Body, axum::body::Body,
> { > {
let config = GovernorConfigBuilder::default() let gov_config = GovernorConfigBuilder::default()
.per_second(100) .per_second(config.general_rps)
.burst_size(200) .burst_size(config.general_burst)
.use_headers() .use_headers()
.finish() .finish()
.unwrap(); .expect("Failed to build general rate limiter");
tower_governor::GovernorLayer::new(config) tower_governor::GovernorLayer::new(gov_config)
} }
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use crate::config::RateLimitConfig;
#[test] #[test]
fn test_default_config() { fn test_default_config() {
@@ -108,16 +80,34 @@ mod tests {
#[test] #[test]
fn test_auth_rate_limiter_creation() { fn test_auth_rate_limiter_creation() {
let _limiter = auth_rate_limiter(); let config = RateLimitConfig::default();
let _limiter = auth_rate_limiter(&config);
} }
#[test] #[test]
fn test_upload_rate_limiter_creation() { fn test_upload_rate_limiter_creation() {
let _limiter = upload_rate_limiter(); let config = RateLimitConfig::default();
let _limiter = upload_rate_limiter(&config);
} }
#[test] #[test]
fn test_general_rate_limiter_creation() { fn test_general_rate_limiter_creation() {
let _limiter = general_rate_limiter(); let config = RateLimitConfig::default();
let _limiter = general_rate_limiter(&config);
}
#[test]
fn test_custom_config() {
let config = RateLimitConfig {
auth_rps: 10,
auth_burst: 20,
upload_rps: 500,
upload_burst: 1000,
general_rps: 200,
general_burst: 400,
};
let _auth = auth_rate_limiter(&config);
let _upload = upload_rate_limiter(&config);
let _general = general_rate_limiter(&config);
} }
} }