feat(edge): community IP blocklist (Spamhaus DROP) at the gateway
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
Refuse a client whose IP is in a curated CIDR feed with 403 in the same
abuseGuard, before the fail2ban ban. Prod-only (keys by real client IP), off by
default.
- ratelimit.Blocklist: a sorted-range IPv4 matcher (binary search) with an
allowlist checked first; ParseDROP reads the feed; ApplyRefresh keeps the
last-good feed on a transient fetch failure and drops it fail-open once stale
(better to under-block than block a legitimate client on a frozen feed). A
separate static CIDR set, not the per-IP fail2ban store.
- gateway: a refresher goroutine re-fetches every few hours (bounded fetch + size
cap); config GATEWAY_BLOCKLIST_{ENABLED,URL,ALLOW,REFRESH,MAX_STALENESS}.
IPv6 is not matched (a v6 client is still covered by fail2ban / the honeypot).
- observability: gateway_blocklist_blocked_total + entries/age gauges; a Grafana
alert warns before the feed is dropped; service-overview panels.
- deploy: compose env + write-prod-env.sh + prod-deploy/rollback wiring (opt-in
via PROD_ vars).
- docs (ARCHITECTURE, deploy/README); unit tests (match, allowlist, IPv6 skip,
parser, fault-tolerance) + a 403 abuse-guard integration test.
This commit is contained in:
@@ -7,6 +7,8 @@ import (
|
||||
"go.opentelemetry.io/otel/attribute"
|
||||
"go.opentelemetry.io/otel/metric"
|
||||
"go.opentelemetry.io/otel/metric/noop"
|
||||
|
||||
"scrabble/gateway/internal/ratelimit"
|
||||
)
|
||||
|
||||
// meterName scopes the gateway edge's OpenTelemetry instruments.
|
||||
@@ -27,6 +29,7 @@ type serverMetrics struct {
|
||||
edge metric.Float64Histogram
|
||||
rateLimited metric.Int64Counter
|
||||
banned metric.Int64Counter
|
||||
blocklisted metric.Int64Counter
|
||||
active *activeUsers
|
||||
// Client-reported local move-preview adoption (see localEvalMetricsHandler).
|
||||
localColdStart metric.Int64Counter
|
||||
@@ -40,7 +43,7 @@ type serverMetrics struct {
|
||||
// falling back to a no-op histogram on the (rare) construction error. The
|
||||
// active_users gauge is registered as an observable callback over the in-memory
|
||||
// tracker.
|
||||
func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
func newServerMetrics(meter metric.Meter, bl *ratelimit.Blocklist) *serverMetrics {
|
||||
if meter == nil {
|
||||
meter = noop.NewMeterProvider().Meter(meterName)
|
||||
}
|
||||
@@ -68,6 +71,8 @@ func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
}
|
||||
m := &serverMetrics{
|
||||
edge: h, rateLimited: c, banned: b, active: newActiveUsers(),
|
||||
blocklisted: counterOf(meter, "gateway_blocklist_blocked_total",
|
||||
"Requests refused at the edge by the community IP blocklist (Spamhaus DROP)."),
|
||||
localColdStart: counterOf(meter, "local_eval_cold_start_total", "App cold starts reported by clients — the denominator for local-move-preview adoption."),
|
||||
localDictLoad: counterOf(meter, "local_eval_dict_load_total", "Client dictionary loads for the local move preview, by result (fetched, cache_hit or miss)."),
|
||||
localPreview: counterOf(meter, "local_eval_preview_total", "Client move previews, by path (local on-device, or network fallback)."),
|
||||
@@ -90,6 +95,25 @@ func newServerMetrics(meter metric.Meter) *serverMetrics {
|
||||
return nil
|
||||
}, gauge)
|
||||
}
|
||||
|
||||
// Community blocklist status: the feed size and how stale it is, for the dashboard and the
|
||||
// "feed not refreshing" alert. Age is observed only once a feed has loaded, so a disabled or
|
||||
// never-fetched blocklist reports no age (and entries 0).
|
||||
if bl != nil {
|
||||
entries, e1 := meter.Int64ObservableGauge("gateway_blocklist_entries",
|
||||
metric.WithDescription("CIDR ranges in the active community IP blocklist feed."))
|
||||
age, e2 := meter.Float64ObservableGauge("gateway_blocklist_age_seconds",
|
||||
metric.WithDescription("Seconds since the community IP blocklist feed was last successfully fetched (absent until the first fetch)."))
|
||||
if e1 == nil && e2 == nil {
|
||||
_, _ = meter.RegisterCallback(func(_ context.Context, o metric.Observer) error {
|
||||
o.ObserveInt64(entries, int64(bl.Len()))
|
||||
if last := bl.LastFetch(); !last.IsZero() {
|
||||
o.ObserveFloat64(age, time.Since(last).Seconds())
|
||||
}
|
||||
return nil
|
||||
}, entries, age)
|
||||
}
|
||||
}
|
||||
return m
|
||||
}
|
||||
|
||||
@@ -118,6 +142,11 @@ func (m *serverMetrics) recordBan(ctx context.Context, reason string) {
|
||||
m.banned.Add(ctx, 1, metric.WithAttributes(attribute.String("reason", reason)))
|
||||
}
|
||||
|
||||
// recordBlocklistBlock counts one request refused by the community IP blocklist.
|
||||
func (m *serverMetrics) recordBlocklistBlock(ctx context.Context) {
|
||||
m.blocklisted.Add(ctx, 1)
|
||||
}
|
||||
|
||||
// recordUnsupportedEngine counts one client turned away by the unsupported-engine boot screen,
|
||||
// labelled by reason and Chromium major. The caller passes both already reduced to bounded label
|
||||
// sets (see normalizeUnsupported) so a spoofed beacon cannot explode the metric cardinality.
|
||||
|
||||
Reference in New Issue
Block a user