feat(edge): community IP blocklist (Spamhaus DROP) at the gateway
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
Refuse a client whose IP is in a curated CIDR feed with 403 in the same
abuseGuard, before the fail2ban ban. Prod-only (keys by real client IP), off by
default.
- ratelimit.Blocklist: a sorted-range IPv4 matcher (binary search) with an
allowlist checked first; ParseDROP reads the feed; ApplyRefresh keeps the
last-good feed on a transient fetch failure and drops it fail-open once stale
(better to under-block than block a legitimate client on a frozen feed). A
separate static CIDR set, not the per-IP fail2ban store.
- gateway: a refresher goroutine re-fetches every few hours (bounded fetch + size
cap); config GATEWAY_BLOCKLIST_{ENABLED,URL,ALLOW,REFRESH,MAX_STALENESS}.
IPv6 is not matched (a v6 client is still covered by fail2ban / the honeypot).
- observability: gateway_blocklist_blocked_total + entries/age gauges; a Grafana
alert warns before the feed is dropped; service-overview panels.
- deploy: compose env + write-prod-env.sh + prod-deploy/rollback wiring (opt-in
via PROD_ vars).
- docs (ARCHITECTURE, deploy/README); unit tests (match, allowlist, IPv6 skip,
parser, fault-tolerance) + a 403 abuse-guard integration test.
This commit is contained in:
@@ -2,6 +2,7 @@ package connectsrv_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
@@ -24,7 +25,7 @@ const honeypotHeader = "X-Scrabble-Honeypot"
|
||||
|
||||
// guardedEdge wires an edge with an explicit banlist and honeytoken over a fake
|
||||
// backend, returning the front URL, a Connect client and a cleanup func.
|
||||
func guardedEdge(t *testing.T, bl *ratelimit.Banlist, honeytoken string, limits config.RateLimitConfig, backendHandler http.HandlerFunc) (string, edgev1connect.GatewayClient, func()) {
|
||||
func guardedEdge(t *testing.T, bl *ratelimit.Banlist, block *ratelimit.Blocklist, honeytoken string, limits config.RateLimitConfig, backendHandler http.HandlerFunc) (string, edgev1connect.GatewayClient, func()) {
|
||||
t.Helper()
|
||||
backendSrv := httptest.NewServer(backendHandler)
|
||||
backend, err := backendclient.New(backendSrv.URL, "localhost:9090", 2*time.Second)
|
||||
@@ -36,6 +37,7 @@ func guardedEdge(t *testing.T, bl *ratelimit.Banlist, honeytoken string, limits
|
||||
Sessions: session.NewCache(backend, time.Minute, 100),
|
||||
Limiter: ratelimit.New(),
|
||||
Banlist: bl,
|
||||
Blocklist: block,
|
||||
Honeytoken: honeytoken,
|
||||
Hub: push.NewHub(0),
|
||||
RateLimit: limits,
|
||||
@@ -69,7 +71,7 @@ func enabledBanlist(threshold int) *ratelimit.Banlist {
|
||||
func TestAbuseGuardBlocksBannedIP(t *testing.T) {
|
||||
bl := enabledBanlist(100)
|
||||
bl.BanNow("127.0.0.1", ratelimit.ReasonTripwire)
|
||||
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
||||
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
||||
defer cleanup()
|
||||
|
||||
resp, err := noRedirect().Get(url + "/")
|
||||
@@ -86,7 +88,7 @@ func TestAbuseGuardBlocksBannedIP(t *testing.T) {
|
||||
// and bans the client IP, so the next request is blocked.
|
||||
func TestHoneypotHeaderTrips(t *testing.T) {
|
||||
bl := enabledBanlist(100)
|
||||
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
||||
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
||||
t.Error("backend must not be called for a honeypot hit")
|
||||
})
|
||||
defer cleanup()
|
||||
@@ -118,7 +120,7 @@ func TestHoneypotHeaderTrips(t *testing.T) {
|
||||
// banlist still 404s the decoy (detection/logging) but bans nothing.
|
||||
func TestHoneypotDetectsWithoutBanWhenDisabled(t *testing.T) {
|
||||
bl := ratelimit.NewBanlist(ratelimit.BanConfig{}) // disabled
|
||||
url, _, cleanup := guardedEdge(t, bl, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
||||
url, _, cleanup := guardedEdge(t, bl, nil, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
||||
defer cleanup()
|
||||
|
||||
req, _ := http.NewRequest(http.MethodGet, url+"/.env", nil)
|
||||
@@ -150,7 +152,7 @@ func TestPublicRejectionStrikesBan(t *testing.T) {
|
||||
bl := enabledBanlist(1)
|
||||
limits := config.DefaultRateLimit()
|
||||
limits.PublicPerMinute, limits.PublicBurst = 1, 1
|
||||
_, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
||||
_, client, cleanup := guardedEdge(t, bl, nil, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
||||
_, _ = w.Write([]byte(`{"token":"tok","user_id":"u-1","is_guest":true,"display_name":"Guest"}`))
|
||||
})
|
||||
defer cleanup()
|
||||
@@ -173,7 +175,7 @@ func TestUserRejectionDoesNotBan(t *testing.T) {
|
||||
bl := enabledBanlist(1)
|
||||
limits := config.DefaultRateLimit()
|
||||
limits.UserPerMinute, limits.UserBurst = 1, 1
|
||||
_, client, cleanup := guardedEdge(t, bl, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
||||
_, client, cleanup := guardedEdge(t, bl, nil, "", limits, func(w http.ResponseWriter, r *http.Request) {
|
||||
switch r.URL.Path {
|
||||
case "/api/v1/internal/sessions/resolve":
|
||||
_, _ = w.Write([]byte(`{"user_id":"u-1","is_guest":false}`))
|
||||
@@ -202,7 +204,7 @@ func TestUserRejectionDoesNotBan(t *testing.T) {
|
||||
// caller and returns the ordinary invalid-session error without a backend call.
|
||||
func TestHoneytokenBansAndRejects(t *testing.T) {
|
||||
bl := enabledBanlist(100)
|
||||
_, client, cleanup := guardedEdge(t, bl, "s3cr3t-trap", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
||||
_, client, cleanup := guardedEdge(t, bl, nil, "s3cr3t-trap", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {
|
||||
t.Error("backend must not be called for the honeytoken")
|
||||
})
|
||||
defer cleanup()
|
||||
@@ -217,3 +219,25 @@ func TestHoneytokenBansAndRejects(t *testing.T) {
|
||||
t.Fatal("the honeytoken must ban the caller")
|
||||
}
|
||||
}
|
||||
|
||||
// TestAbuseGuardBlocksBlocklistedIP verifies a client IP in the community blocklist feed is refused
|
||||
// with 403 at the HTTP layer, before any handler runs.
|
||||
func TestAbuseGuardBlocksBlocklistedIP(t *testing.T) {
|
||||
block := ratelimit.NewBlocklist(true, nil)
|
||||
_, feed, err := net.ParseCIDR("127.0.0.0/8")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
block.SetCIDRs([]*net.IPNet{feed}, time.Now())
|
||||
url, _, cleanup := guardedEdge(t, nil, block, "", config.DefaultRateLimit(), func(w http.ResponseWriter, r *http.Request) {})
|
||||
defer cleanup()
|
||||
|
||||
resp, err := noRedirect().Get(url + "/")
|
||||
if err != nil {
|
||||
t.Fatalf("get: %v", err)
|
||||
}
|
||||
_ = resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusForbidden {
|
||||
t.Fatalf("blocklisted GET / = %d, want 403", resp.StatusCode)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -7,6 +7,8 @@ import (
|
||||
"go.opentelemetry.io/otel/attribute"
|
||||
"go.opentelemetry.io/otel/metric"
|
||||
"go.opentelemetry.io/otel/metric/noop"
|
||||
|
||||
"scrabble/gateway/internal/ratelimit"
|
||||
)
|
||||
|
||||
// meterName scopes the gateway edge's OpenTelemetry instruments.
|
||||
@@ -27,6 +29,7 @@ type serverMetrics struct {
|
||||
edge metric.Float64Histogram
|
||||
rateLimited metric.Int64Counter
|
||||
banned metric.Int64Counter
|
||||
blocklisted metric.Int64Counter
|
||||
active *activeUsers
|
||||
// Client-reported local move-preview adoption (see localEvalMetricsHandler).
|
||||
localColdStart metric.Int64Counter
|
||||
@@ -40,7 +43,7 @@ type serverMetrics struct {
|
||||
// falling back to a no-op histogram on the (rare) construction error. The
|
||||
// active_users gauge is registered as an observable callback over the in-memory
|
||||
// tracker.
|
||||
func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
func newServerMetrics(meter metric.Meter, bl *ratelimit.Blocklist) *serverMetrics {
|
||||
if meter == nil {
|
||||
meter = noop.NewMeterProvider().Meter(meterName)
|
||||
}
|
||||
@@ -68,6 +71,8 @@ func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
}
|
||||
m := &serverMetrics{
|
||||
edge: h, rateLimited: c, banned: b, active: newActiveUsers(),
|
||||
blocklisted: counterOf(meter, "gateway_blocklist_blocked_total",
|
||||
"Requests refused at the edge by the community IP blocklist (Spamhaus DROP)."),
|
||||
localColdStart: counterOf(meter, "local_eval_cold_start_total", "App cold starts reported by clients — the denominator for local-move-preview adoption."),
|
||||
localDictLoad: counterOf(meter, "local_eval_dict_load_total", "Client dictionary loads for the local move preview, by result (fetched, cache_hit or miss)."),
|
||||
localPreview: counterOf(meter, "local_eval_preview_total", "Client move previews, by path (local on-device, or network fallback)."),
|
||||
@@ -90,6 +95,25 @@ func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
return nil
|
||||
}, gauge)
|
||||
}
|
||||
|
||||
// Community blocklist status: the feed size and how stale it is, for the dashboard and the
|
||||
// "feed not refreshing" alert. Age is observed only once a feed has loaded, so a disabled or
|
||||
// never-fetched blocklist reports no age (and entries 0).
|
||||
if bl != nil {
|
||||
entries, e1 := meter.Int64ObservableGauge("gateway_blocklist_entries",
|
||||
metric.WithDescription("CIDR ranges in the active community IP blocklist feed."))
|
||||
age, e2 := meter.Float64ObservableGauge("gateway_blocklist_age_seconds",
|
||||
metric.WithDescription("Seconds since the community IP blocklist feed was last successfully fetched (absent until the first fetch)."))
|
||||
if e1 == nil && e2 == nil {
|
||||
_, _ = meter.RegisterCallback(func(_ context.Context, o metric.Observer) error {
|
||||
o.ObserveInt64(entries, int64(bl.Len()))
|
||||
if last := bl.LastFetch(); !last.IsZero() {
|
||||
o.ObserveFloat64(age, time.Since(last).Seconds())
|
||||
}
|
||||
return nil
|
||||
}, entries, age)
|
||||
}
|
||||
}
|
||||
return m
|
||||
}
|
||||
|
||||
@@ -118,6 +142,11 @@ func (m *serverMetrics) recordBan(ctx context.Context, reason string) {
|
||||
m.banned.Add(ctx, 1, metric.WithAttributes(attribute.String("reason", reason)))
|
||||
}
|
||||
|
||||
// recordBlocklistBlock counts one request refused by the community IP blocklist.
|
||||
func (m *serverMetrics) recordBlocklistBlock(ctx context.Context) {
|
||||
m.blocklisted.Add(ctx, 1)
|
||||
}
|
||||
|
||||
// recordUnsupportedEngine counts one client turned away by the unsupported-engine boot screen,
|
||||
// labelled by reason and Chromium major. The caller passes both already reduced to bounded label
|
||||
// sets (see normalizeUnsupported) so a spoofed beacon cannot explode the metric cardinality.
|
||||
|
||||
@@ -16,7 +16,7 @@ func TestEdgeMetric(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
reader := sdkmetric.NewManualReader()
|
||||
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
||||
m := newServerMetrics(meter)
|
||||
m := newServerMetrics(meter, nil)
|
||||
|
||||
m.recordEdge(ctx, "game.submit_play", "ok", time.Now().Add(-time.Millisecond))
|
||||
m.recordEdge(ctx, "game.submit_play", "ok", time.Now().Add(-time.Millisecond))
|
||||
@@ -74,7 +74,7 @@ func TestRateLimitedMetric(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
reader := sdkmetric.NewManualReader()
|
||||
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
||||
m := newServerMetrics(meter)
|
||||
m := newServerMetrics(meter, nil)
|
||||
|
||||
m.recordRateLimited(ctx, "user")
|
||||
m.recordRateLimited(ctx, "user")
|
||||
@@ -112,7 +112,7 @@ func TestBannedMetric(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
reader := sdkmetric.NewManualReader()
|
||||
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
||||
m := newServerMetrics(meter)
|
||||
m := newServerMetrics(meter, nil)
|
||||
|
||||
m.recordBan(ctx, "tripwire")
|
||||
m.recordBan(ctx, "tripwire")
|
||||
@@ -150,7 +150,7 @@ func TestUnsupportedEngineMetric(t *testing.T) {
|
||||
ctx := context.Background()
|
||||
reader := sdkmetric.NewManualReader()
|
||||
meter := sdkmetric.NewMeterProvider(sdkmetric.WithReader(reader)).Meter("test")
|
||||
m := newServerMetrics(meter)
|
||||
m := newServerMetrics(meter, nil)
|
||||
|
||||
m.recordUnsupportedEngine(ctx, "no_bigint", "66")
|
||||
m.recordUnsupportedEngine(ctx, "no_bigint", "66")
|
||||
|
||||
@@ -77,6 +77,7 @@ type Server struct {
|
||||
limiter *ratelimit.Limiter
|
||||
tracker *ratelimit.Tracker
|
||||
banlist *ratelimit.Banlist
|
||||
blocklist *ratelimit.Blocklist
|
||||
honeytoken string
|
||||
vkAppSecret string
|
||||
hub *push.Hub
|
||||
@@ -109,6 +110,9 @@ type Deps struct {
|
||||
// Banlist enforces temporary IP bans on the hot path; nil selects a disabled
|
||||
// (inert) banlist.
|
||||
Banlist *ratelimit.Banlist
|
||||
// Blocklist enforces the community IP blocklist on the hot path; nil selects a
|
||||
// disabled (inert) blocklist.
|
||||
Blocklist *ratelimit.Blocklist
|
||||
// Honeytoken, when non-empty, is the planted bearer value whose presentation
|
||||
// bans the caller and raises a high-severity alarm.
|
||||
Honeytoken string
|
||||
@@ -148,6 +152,10 @@ func NewServer(d Deps) *Server {
|
||||
if banlist == nil {
|
||||
banlist = ratelimit.NewBanlist(ratelimit.BanConfig{})
|
||||
}
|
||||
blocklist := d.Blocklist
|
||||
if blocklist == nil {
|
||||
blocklist = ratelimit.NewBlocklist(false, nil)
|
||||
}
|
||||
rl := d.RateLimit
|
||||
if rl == (config.RateLimitConfig{}) {
|
||||
rl = config.DefaultRateLimit()
|
||||
@@ -160,12 +168,13 @@ func NewServer(d Deps) *Server {
|
||||
limiter: limiter,
|
||||
tracker: tracker,
|
||||
banlist: banlist,
|
||||
blocklist: blocklist,
|
||||
honeytoken: d.Honeytoken,
|
||||
hub: d.Hub,
|
||||
heartbeat: d.Heartbeat,
|
||||
log: log,
|
||||
adminProxy: d.AdminProxy,
|
||||
metrics: newServerMetrics(d.Meter),
|
||||
metrics: newServerMetrics(d.Meter, blocklist),
|
||||
maxBodyBytes: maxBody,
|
||||
publicPolicy: ratelimit.PerMinute(rl.PublicPerMinute, rl.PublicBurst),
|
||||
userPolicy: ratelimit.PerMinute(rl.UserPerMinute, rl.UserBurst),
|
||||
@@ -255,6 +264,13 @@ func (s *Server) abuseGuard(next http.Handler) http.Handler {
|
||||
http.Error(w, "banned", http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
// The community IP blocklist (Spamhaus DROP): a known-bad source is refused before any work.
|
||||
// Counted, not logged per request (a blocked scanner hammers). Inert on a disabled blocklist.
|
||||
if s.blocklist.Blocked(ip) {
|
||||
s.metrics.recordBlocklistBlock(r.Context())
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
if r.Header.Get(honeypotHeader) != "" {
|
||||
s.log.Warn("honeypot tripwire",
|
||||
zap.String("path", r.URL.Path),
|
||||
|
||||
Reference in New Issue
Block a user