Implement rate limiting based on IP+UA (#211)

* Implement rate limiting

* Use separate Redis instance for rate limiting

* Fix flag name

* Remove annotations

* Set rate-limit-max to 40

* Update comments.

* Update comments and benchmark

* Reuse the same tooManyRequests error

* Fix indent in cloudbuild.yaml

* Add RATE_LIMIT_REDIS_ADDRESS to the mlab-ns template too

* Do not set an error status code on rate limit yet

* Address review comments

* Update comment

* Address review comments

Author: robertodauria

cloudbuild/app.yaml.mlab-ns.template

@@ -37,5 +37,6 @@ env_variables:
   LOCATOR_MAXMIND: true
   MAXMIND_URL: gs://downloader-{{PLATFORM_PROJECT}}/Maxmind/current/GeoLite2-City.tar.gz
   REDIS_ADDRESS: {{REDIS_ADDRESS}}
+  RATE_LIMIT_REDIS_ADDRESS: {{RATE_LIMIT_REDIS_ADDRESS}}
   PROMETHEUSX_LISTEN_ADDRESS: ':9090' # Must match one of the forwarded_ports above.
   PROMETHEUS_URL: 'https://prometheus-basicauth.{{PLATFORM_PROJECT}}.measurementlab.net/'

cloudbuild/app.yaml.template

@@ -36,5 +36,6 @@ env_variables:
   LOCATOR_MAXMIND: true
   MAXMIND_URL: gs://downloader-{{PLATFORM_PROJECT}}/Maxmind/current/GeoLite2-City.tar.gz
   REDIS_ADDRESS: {{REDIS_ADDRESS}}
+  RATE_LIMIT_REDIS_ADDRESS: {{RATE_LIMIT_REDIS_ADDRESS}}
   PROMETHEUSX_LISTEN_ADDRESS: ':9090' # Must match one of the forwarded_ports above.
   PROMETHEUS_URL: 'https://prometheus-basicauth.{{PLATFORM_PROJECT}}.measurementlab.net/'

cloudbuild/cloudbuild.yaml

@@ -29,6 +29,7 @@ steps:
     -e 's/{{PROJECT}}/$PROJECT_ID/g'
     -e 's/{{PLATFORM_PROJECT}}/$_PLATFORM_PROJECT/'
     -e 's/{{REDIS_ADDRESS}}/$_REDIS_ADDRESS/'
+    -e 's/{{RATE_LIMIT_REDIS_ADDRESS}}/$_RATE_LIMIT_REDIS_ADDRESS/'
     app.yaml
   - gcloud --project $PROJECT_ID app deploy --promote app.yaml
   # After deploying the new service, deploy the openapi spec.
@@ -47,6 +48,7 @@ steps:
     -e 's/{{PROJECT}}/$PROJECT_ID/g'
     -e 's/{{PLATFORM_PROJECT}}/$_PLATFORM_PROJECT/'
     -e 's/{{REDIS_ADDRESS}}/$_REDIS_ADDRESS/'
+    -e 's/{{RATE_LIMIT_REDIS_ADDRESS}}/$_RATE_LIMIT_REDIS_ADDRESS/'
     app.yaml
   - gcloud --project $PROJECT_ID app deploy --promote app.yaml
   # After deploying the new service, deploy the openapi spec.

go.mod

@@ -5,6 +5,7 @@ go 1.20
 require (
 	cloud.google.com/go/compute/metadata v0.2.3
 	cloud.google.com/go/secretmanager v1.11.2
+	github.com/alicebob/miniredis v2.5.0+incompatible
 	github.com/apex/log v1.9.0
 	github.com/cenkalti/backoff/v4 v4.1.3
 	github.com/go-test/deep v1.0.8
@@ -33,12 +34,14 @@ require (
 )
 
 require (
+	github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 // indirect
 	github.com/evanphx/json-patch v4.9.0+incompatible // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/imdario/mergo v0.3.5 // indirect
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/yuin/gopher-lua v1.1.1 // indirect
 	golang.org/x/sync v0.4.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect

go.sum

@@ -55,6 +55,10 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302 h1:uvdUDbHQHO85qeSydJtItA4T55Pw6BtAejd0APRJOCE=
+github.com/alicebob/gopher-json v0.0.0-20230218143504-906a9b012302/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
+github.com/alicebob/miniredis v2.5.0+incompatible h1:yBHoLpsyjupjz3NL3MhKMVkR41j82Yjf3KFv7ApYzUI=
+github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+DxYx+6BMjkBbe5ONFIF1MXffk=
 github.com/apex/log v1.9.0 h1:FHtw/xuaM8AgmvDDTI9fiwoAL25Sq2cxojnZICUU8l0=
 github.com/apex/log v1.9.0/go.mod h1:m82fZlWIuiWzWP04XCTXmnX0xRkYYbCdYn8jbJeLBEA=
 github.com/apex/logs v1.0.0/go.mod h1:XzxuLZ5myVHDy9SAmYpamKKRNApGj54PfYLcFrXqDwo=
@@ -360,6 +364,8 @@ github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKw
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
+github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

handler/handler.go

@@ -52,6 +52,7 @@ type Client struct {
 	PrometheusClient
 	targetTmpl  *template.Template
 	agentLimits limits.Agents
+	ipLimiter   *limits.RateLimiter
 }
 
 // LocatorV2 defines how the Nearest handler requests machines nearest to the
@@ -84,7 +85,8 @@ func init() {
 }
 
 // NewClient creates a new client.
-func NewClient(project string, private Signer, locatorV2 LocatorV2, client ClientLocator, prom PrometheusClient, lmts limits.Agents) *Client {
+func NewClient(project string, private Signer, locatorV2 LocatorV2, client ClientLocator,
+	prom PrometheusClient, lmts limits.Agents, limiter *limits.RateLimiter) *Client {
 	return &Client{
 		Signer:           private,
 		project:          project,
@@ -93,6 +95,7 @@ func NewClient(project string, private Signer, locatorV2 LocatorV2, client Clien
 		PrometheusClient: prom,
 		targetTmpl:       template.Must(template.New("name").Parse("{{.Hostname}}{{.Ports}}")),
 		agentLimits:      lmts,
+		ipLimiter:        limiter,
 	}
 }
 
@@ -153,6 +156,38 @@ func (c *Client) Nearest(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	// Check rate limit for IP and UA.
+	if c.ipLimiter != nil {
+		// Get the IP address from the request. X-Forwarded-For is guaranteed to
+		// be set by AppEngine.
+		ip := req.Header.Get("X-Forwarded-For")
+		ips := strings.Split(ip, ",")
+		if len(ips) > 0 {
+			ip = strings.TrimSpace(ips[0])
+		}
+		if ip != "" {
+			// An empty UA is technically possible. In this case, the key will be
+			// "ip:" and the rate limiting will be based on the IP address only.
+			ua := req.Header.Get("User-Agent")
+			limited, err := c.ipLimiter.IsLimited(ip, ua)
+			if err != nil {
+				// Log error but don't block request (fail open).
+				// TODO: Add tests for this path.
+				log.Printf("Rate limiter error: %v", err)
+			} else if limited {
+				metrics.RequestsTotal.WithLabelValues("nearest", "rate limit",
+					http.StatusText(result.Error.Status)).Inc()
+				// For now, we only log the rate limit exceeded message.
+				// TODO: Actually block the request and return an appropriate HTTP error
+				// code and message.
+				log.Printf("Rate limit exceeded for IP %s and UA %s", ip, ua)
+			}
+		} else {
+			// This should never happen if Locate is deployed on AppEngine.
+			log.Println("Cannot find IP address for rate limiting.")
+		}
+	}
+
 	experiment, service := getExperimentAndService(req.URL.Path)
 
 	// Look up client location.

handler/handler_test.go

@@ -212,7 +212,7 @@ func TestClient_Nearest(t *testing.T) {
 			if tt.cl == nil {
 				tt.cl = clientgeo.NewAppEngineLocator()
 			}
-			c := NewClient(tt.project, tt.signer, tt.locator, tt.cl, prom.NewAPI(nil), tt.limits)
+			c := NewClient(tt.project, tt.signer, tt.locator, tt.cl, prom.NewAPI(nil), tt.limits, nil)
 
 			mux := http.NewServeMux()
 			mux.HandleFunc("/v2/nearest/", c.Nearest)
@@ -291,7 +291,7 @@ func TestClient_Ready(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := NewClient("foo", &fakeSigner{}, &fakeLocatorV2{StatusTracker: &heartbeattest.FakeStatusTracker{Err: tt.fakeErr}}, nil, nil, nil)
+			c := NewClient("foo", &fakeSigner{}, &fakeLocatorV2{StatusTracker: &heartbeattest.FakeStatusTracker{Err: tt.fakeErr}}, nil, nil, nil, nil)
 
 			mux := http.NewServeMux()
 			mux.HandleFunc("/ready/", c.Ready)
@@ -349,7 +349,7 @@ func TestClient_Registrations(t *testing.T) {
 		}
 
 		t.Run(tt.name, func(t *testing.T) {
-			c := NewClient("foo", &fakeSigner{}, &fakeLocatorV2{StatusTracker: fakeStatusTracker}, nil, nil, nil)
+			c := NewClient("foo", &fakeSigner{}, &fakeLocatorV2{StatusTracker: fakeStatusTracker}, nil, nil, nil, nil)
 
 			mux := http.NewServeMux()
 			mux.HandleFunc("/v2/siteinfo/registrations/", c.Registrations)

handler/heartbeat_test.go

@@ -70,7 +70,7 @@ func TestClient_handleHeartbeats(t *testing.T) {
 func fakeClient(t heartbeat.StatusTracker) *Client {
 	locatorv2 := fakeLocatorV2{StatusTracker: t}
 	return NewClient("mlab-sandbox", &fakeSigner{}, &locatorv2,
-		clientgeo.NewAppEngineLocator(), prom.NewAPI(nil), nil)
+		clientgeo.NewAppEngineLocator(), prom.NewAPI(nil), nil, nil)
 }
 
 type fakeConn struct {

handler/monitoring_test.go

@@ -92,7 +92,7 @@ func TestClient_Monitoring(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cl := clientgeo.NewAppEngineLocator()
-			c := NewClient("mlab-sandbox", tt.signer, tt.locator, cl, prom.NewAPI(nil), nil)
+			c := NewClient("mlab-sandbox", tt.signer, tt.locator, cl, prom.NewAPI(nil), nil, nil)
 			rw := httptest.NewRecorder()
 			req := httptest.NewRequest(http.MethodGet, "/v2/platform/monitoring/"+tt.path, nil)
 			req = req.Clone(controller.SetClaim(req.Context(), tt.claim))

limits/ratelimiter.go

@@ -0,0 +1,90 @@
+package limits
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/gomodule/redigo/redis"
+)
+
+// RateLimitConfig holds the configuration for IP+UA rate limiting.
+type RateLimitConfig struct {
+	// Interval defines the duration of the sliding window.
+	Interval time.Duration
+	// MaxEvents defines the maximum number of events allowed in the interval.
+	MaxEvents int
+	// KeyPrefix is the prefix for Redis keys.
+	KeyPrefix string
+}
+
+// RateLimiter implements a distributed rate limiter using Redis sorted sets (ZSET).
+// It maintains a sliding window of events for each IP+UA combination, where:
+//   - Each event is stored in a ZSET with the timestamp as score
+//   - Old events (outside the window) are automatically removed
+//   - Keys automatically expire after the configured interval
+//
+// The limiter considers a request to be rate-limited if the number of events
+// in the current window exceeds MaxEvents.
+type RateLimiter struct {
+	pool      *redis.Pool
+	interval  time.Duration
+	maxEvents int
+	keyPrefix string
+}
+
+// NewRateLimiter creates a new rate limiter.
+func NewRateLimiter(pool *redis.Pool, config RateLimitConfig) *RateLimiter {
+	return &RateLimiter{
+		pool:      pool,
+		interval:  config.Interval,
+		maxEvents: config.MaxEvents,
+		keyPrefix: config.KeyPrefix,
+	}
+}
+
+// generateKey creates a Redis key from IP and User-Agent.
+func (rl *RateLimiter) generateKey(ip, ua string) string {
+	return fmt.Sprintf("%s:%s:%s", rl.keyPrefix, ip, ua)
+}
+
+// IsLimited checks if the given IP and User-Agent combination should be rate limited.
+func (rl *RateLimiter) IsLimited(ip, ua string) (bool, error) {
+	conn := rl.pool.Get()
+	defer conn.Close()
+
+	now := time.Now().UnixMicro()
+	windowStart := now - rl.interval.Microseconds()
+	redisKey := rl.generateKey(ip, ua)
+
+	// Send all commands in pipeline.
+	// 1. Remove events outside the window
+	conn.Send("ZREMRANGEBYSCORE", redisKey, "-inf", windowStart)
+	// 2. Add current event
+	conn.Send("ZADD", redisKey, now, strconv.FormatInt(now, 10))
+	// 3. Set key expiration
+	conn.Send("EXPIRE", redisKey, int64(rl.interval.Seconds()))
+	// 4. Get total event count
+	conn.Send("ZCARD", redisKey)
+
+	// Flush pipeline
+	if err := conn.Flush(); err != nil {
+		return false, fmt.Errorf("failed to flush pipeline: %w", err)
+	}
+
+	// Receive all replies
+	for i := 0; i < 3; i++ {
+		// Receive replies for ZREMRANGEBYSCORE, ZADD, and EXPIRE
+		if _, err := conn.Receive(); err != nil {
+			return false, fmt.Errorf("failed to receive reply %d: %w", i, err)
+		}
+	}
+
+	// Receive and process ZCARD reply
+	count, err := redis.Int64(conn.Receive())
+	if err != nil {
+		return false, fmt.Errorf("failed to receive count: %w", err)
+	}
+
+	return count > int64(rl.maxEvents), nil
+}