Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rate limiting to API calls #1479

Open
spwoodcock opened this issue Apr 25, 2024 · 1 comment · May be fixed by #1695
Open

Add rate limiting to API calls #1479

spwoodcock opened this issue Apr 25, 2024 · 1 comment · May be fixed by #1695
Assignees
@spwoodcock
Labels
backend Related to backend code devops Related to deployment or configuration effort:medium Likely a day or two priority:low Backlog of tasks that will be addressed in time
Milestone
Update production...

Comments

@spwoodcock
Copy link
Member

Is your feature request related to a problem? Please describe.

  • After we add a task queue, Redis will be part of our stack.
  • We can also use Redis to effectively handle rate limiting.

Describe the solution you'd like

  • Rate limiting should be implementing based on:
    • Number of requests from an IP address per minute.
    • Possibly total number of requests per minute to avoid DDOS?

Describe alternatives you've considered

  • We could add something like fail2ban to the Nginx proxy, which isn't a bad idea.

Additional context

  • For most endpoint we are protected by login_required, making distributed attacks harder.
  • But we do have some unprotected endpoints out of necessity, so this is a moot point.
@spwoodcock spwoodcock added backend Related to backend code devops Related to deployment or configuration labels Apr 25, 2024
@spwoodcock
Copy link
Member Author

spwoodcock commented Jun 30, 2024
edited
Loading

While Redis based rate limiting is the best approach with good granularity, if we do not implement a task queue then there isn't much point adding Redis to the stack.

In this case, basic rate limiting via the Nginx proxy is the best approach. This should be explored.

Another alternative would be the implementation from litestar: https://docs.litestar.dev/2/usage/middleware/builtin-middleware.html#rate-limit-middleware based on RateLimit header fields spec

@spwoodcock spwoodcock added priority:low Backlog of tasks that will be addressed in time effort:medium Likely a day or two labels Jul 17, 2024
This was referenced Jul 20, 2024
Open
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spwoodcock spwoodcock

Labels
backend Related to backend code devops Related to deployment or configuration effort:medium Likely a day or two priority:low Backlog of tasks that will be addressed in time
Projects
Field Mapping Tasking Manager (FMTM)
Status: Tasks
Milestone
Update production devops
Development

Successfully merging a pull request may close this issue.

Replace custom nginx / certbot config with BunkerWeb hotosm/fmtm
1 participant
@spwoodcock