feat(edge): community IP blocklist (Spamhaus DROP) at the gateway
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
CI / changes (pull_request) Successful in 2s
CI / unit (pull_request) Successful in 10s
CI / integration (pull_request) Successful in 24s
CI / ui (pull_request) Successful in 1m11s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 1m49s
Refuse a client whose IP is in a curated CIDR feed with 403 in the same
abuseGuard, before the fail2ban ban. Prod-only (keys by real client IP), off by
default.
- ratelimit.Blocklist: a sorted-range IPv4 matcher (binary search) with an
allowlist checked first; ParseDROP reads the feed; ApplyRefresh keeps the
last-good feed on a transient fetch failure and drops it fail-open once stale
(better to under-block than block a legitimate client on a frozen feed). A
separate static CIDR set, not the per-IP fail2ban store.
- gateway: a refresher goroutine re-fetches every few hours (bounded fetch + size
cap); config GATEWAY_BLOCKLIST_{ENABLED,URL,ALLOW,REFRESH,MAX_STALENESS}.
IPv6 is not matched (a v6 client is still covered by fail2ban / the honeypot).
- observability: gateway_blocklist_blocked_total + entries/age gauges; a Grafana
alert warns before the feed is dropped; service-overview panels.
- deploy: compose env + write-prod-env.sh + prod-deploy/rollback wiring (opt-in
via PROD_ vars).
- docs (ARCHITECTURE, deploy/README); unit tests (match, allowlist, IPv6 skip,
parser, fault-tolerance) + a 403 abuse-guard integration test.
This commit is contained in:
@@ -77,6 +77,7 @@ type Server struct {
|
||||
limiter *ratelimit.Limiter
|
||||
tracker *ratelimit.Tracker
|
||||
banlist *ratelimit.Banlist
|
||||
blocklist *ratelimit.Blocklist
|
||||
honeytoken string
|
||||
vkAppSecret string
|
||||
hub *push.Hub
|
||||
@@ -109,6 +110,9 @@ type Deps struct {
|
||||
// Banlist enforces temporary IP bans on the hot path; nil selects a disabled
|
||||
// (inert) banlist.
|
||||
Banlist *ratelimit.Banlist
|
||||
// Blocklist enforces the community IP blocklist on the hot path; nil selects a
|
||||
// disabled (inert) blocklist.
|
||||
Blocklist *ratelimit.Blocklist
|
||||
// Honeytoken, when non-empty, is the planted bearer value whose presentation
|
||||
// bans the caller and raises a high-severity alarm.
|
||||
Honeytoken string
|
||||
@@ -148,6 +152,10 @@ func NewServer(d Deps) *Server {
|
||||
if banlist == nil {
|
||||
banlist = ratelimit.NewBanlist(ratelimit.BanConfig{})
|
||||
}
|
||||
blocklist := d.Blocklist
|
||||
if blocklist == nil {
|
||||
blocklist = ratelimit.NewBlocklist(false, nil)
|
||||
}
|
||||
rl := d.RateLimit
|
||||
if rl == (config.RateLimitConfig{}) {
|
||||
rl = config.DefaultRateLimit()
|
||||
@@ -160,12 +168,13 @@ func NewServer(d Deps) *Server {
|
||||
limiter: limiter,
|
||||
tracker: tracker,
|
||||
banlist: banlist,
|
||||
blocklist: blocklist,
|
||||
honeytoken: d.Honeytoken,
|
||||
hub: d.Hub,
|
||||
heartbeat: d.Heartbeat,
|
||||
log: log,
|
||||
adminProxy: d.AdminProxy,
|
||||
metrics: newServerMetrics(d.Meter),
|
||||
metrics: newServerMetrics(d.Meter, blocklist),
|
||||
maxBodyBytes: maxBody,
|
||||
publicPolicy: ratelimit.PerMinute(rl.PublicPerMinute, rl.PublicBurst),
|
||||
userPolicy: ratelimit.PerMinute(rl.UserPerMinute, rl.UserBurst),
|
||||
@@ -255,6 +264,13 @@ func (s *Server) abuseGuard(next http.Handler) http.Handler {
|
||||
http.Error(w, "banned", http.StatusTooManyRequests)
|
||||
return
|
||||
}
|
||||
// The community IP blocklist (Spamhaus DROP): a known-bad source is refused before any work.
|
||||
// Counted, not logged per request (a blocked scanner hammers). Inert on a disabled blocklist.
|
||||
if s.blocklist.Blocked(ip) {
|
||||
s.metrics.recordBlocklistBlock(r.Context())
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
if r.Header.Get(honeypotHeader) != "" {
|
||||
s.log.Warn("honeypot tripwire",
|
||||
zap.String("path", r.URL.Path),
|
||||
|
||||
Reference in New Issue
Block a user