warpdrive_proxy/middleware/

rate_limit.rs

//! Rate limiting middleware using the governor crate
//!
//! Implements per-IP rate limiting using the GCRA (Generic Cell Rate Algorithm).
//! Returns 429 Too Many Requests when limits are exceeded.
//!
//! # Trusted Sources
//!
//! Requests from trusted IP ranges (set by trusted_ranges middleware) bypass
//! rate limiting entirely. The real client IP (normalized by trusted_ranges)
//! is used for rate limiting instead of the socket IP.

use async_trait::async_trait;
use governor::{
    Quota, RateLimiter,
    clock::{Clock, DefaultClock},
    state::keyed::DefaultKeyedStateStore,
};
use pingora::prelude::*;
use std::net::IpAddr;
use std::num::NonZeroU32;
use std::sync::Arc;
use tracing::{debug, warn};

use super::{Middleware, MiddlewareContext};
use crate::metrics::RATE_LIMIT_REJECTIONS;

/// Rate limiting middleware
///
/// Uses the governor crate's GCRA implementation to enforce rate limits
/// per client IP address. When a client exceeds their rate limit, a 429
/// response is returned immediately without forwarding to the upstream.
pub struct RateLimitMiddleware {
    /// Governor rate limiter (keyed by IP address)
    limiter: Arc<RateLimiter<IpAddr, DefaultKeyedStateStore<IpAddr>, DefaultClock>>,
    /// Whether rate limiting is enabled
    enabled: bool,
}

impl RateLimitMiddleware {
    /// Create a new rate limiting middleware
    ///
    /// # Arguments
    ///
    /// * `enabled` - Whether to enable rate limiting
    /// * `requests_per_sec` - Maximum requests per second per IP
    /// * `burst_size` - Maximum burst size (tokens available immediately)
    ///
    /// # Example
    ///
    /// ```no_run
    /// use warpdrive::middleware::RateLimitMiddleware;
    ///
    /// // Allow 10 req/s with burst of 20
    /// let middleware = RateLimitMiddleware::new(true, 10, 20);
    /// ```
    pub fn new(enabled: bool, requests_per_sec: u32, burst_size: u32) -> Self {
        // Convert to NonZeroU32 for governor
        let rps = NonZeroU32::new(requests_per_sec.max(1)).unwrap();
        let burst = NonZeroU32::new(burst_size.max(1)).unwrap();

        // Create quota: burst_size tokens, refill at requests_per_sec rate
        let quota = Quota::per_second(rps).allow_burst(burst);

        // Create keyed rate limiter (one bucket per IP)
        let limiter = RateLimiter::keyed(quota);

        debug!(
            "Rate limiting initialized: enabled={}, rps={}, burst={}",
            enabled, requests_per_sec, burst_size
        );

        Self {
            limiter: Arc::new(limiter),
            enabled,
        }
    }
}

#[async_trait]
impl Middleware for RateLimitMiddleware {
    async fn request_filter(
        &self,
        session: &mut Session,
        ctx: &mut MiddlewareContext,
    ) -> Result<()> {
        if !self.enabled {
            return Ok(()); // Pass through
        }

        // Skip rate limiting for trusted sources (proxies/CDNs)
        if ctx.trusted_source {
            debug!("Skipping rate limit for trusted source");
            return Ok(());
        }

        // Use real client IP from context (normalized by trusted_ranges middleware)
        let client_ip = ctx.real_client_ip;

        // Check rate limit using governor
        match self.limiter.check_key(&client_ip) {
            Ok(_) => {
                // Request allowed
                debug!("Rate limit check passed for {}", client_ip);
                Ok(()) // Continue to next middleware
            }
            Err(negative) => {
                // Rate limit exceeded
                let retry_after = negative.wait_time_from(DefaultClock::default().now());
                warn!(
                    "Rate limit exceeded for {}: retry after {:?}",
                    client_ip, retry_after
                );

                // Record rate limit rejection metric
                RATE_LIMIT_REJECTIONS
                    .with_label_values(&[&client_ip.to_string()])
                    .inc();

                // Send 429 Too Many Requests using Pingora's respond_error
                session.respond_error(429).await?;

                // Return error to stop further processing
                // Pingora interprets this as "response already sent"
                Err(Error::explain(
                    ErrorType::HTTPStatus(429),
                    format!("Rate limit exceeded for {}", client_ip),
                ))
            }
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_rate_limit_middleware_creation() {
        let middleware = RateLimitMiddleware::new(true, 10, 20);
        assert!(middleware.enabled);
    }

    #[test]
    fn test_rate_limit_middleware_disabled() {
        let middleware = RateLimitMiddleware::new(false, 10, 20);
        assert!(!middleware.enabled);
    }

    #[test]
    fn test_quota_creation() {
        // Ensure we handle edge cases
        let _m1 = RateLimitMiddleware::new(true, 0, 0); // Should default to 1
        let _m2 = RateLimitMiddleware::new(true, 1000, 5000); // High values
    }
}