Different rate limits depending on HTTP method (#5555)

dsotirho-ucsc · dsotirho-ucsc · commit 296a02e55b59 · 2025-05-06T17:59:32.000-07:00
diff --git a/src/azul/__init__.py b/src/azul/__init__.py
@@ -1774,6 +1774,25 @@ def __attrs_post_init__(self):
                                   name='rate_limit_alarm',
                                   value=waf_rate_limit.value * 2)
 
+    #: The rate limit per IP for requests that trigger a manifest generation
+    #:
+    waf_rate_limit_manifests = RateLimit(name='rate_limit_manifests',
+                                         value=10,
+                                         period=10 * 60,
+                                         retry_after=30)
+
+    #: The rate limit for file download requests
+    #:
+    #: We aim for a global limit of 60 file downloads per 10 minutes. Based on
+    #: an observed average of 2.9 distinct IPs concurrently downloading files
+    #: in any 10-minute window, the maximum per-IP request rate we can allow is
+    #: 20/10min, or 10/5min.
+    #:
+    waf_rate_limit_files = RateLimit(name='rate_limit_files',
+                                     value=10,
+                                     period=5 * 60,
+                                     retry_after=30)
+
     @property
     def waf_bot_control(self) -> bool:
         return self._boolean(self.environ['azul_waf_bot_control'])
diff --git a/terraform/api_gateway.tf.json.template.py b/terraform/api_gateway.tf.json.template.py
@@ -2,7 +2,11 @@
     dataclass,
 )
 import importlib
+from itertools import (
+    chain,
+)
 import json
+import logging
 
 from more_itertools import (
     one,
@@ -20,6 +24,9 @@
 from azul.deployment import (
     aws,
 )
+from azul.http import (
+    http_client,
+)
 from azul.modules import (
     load_app_module,
 )
@@ -35,6 +42,8 @@
     JSONs,
 )
 
+log = logging.getLogger(__name__)
+
 
 @dataclass(frozen=True)
 class Application:
@@ -110,6 +119,21 @@ def check_waf_rules(rules: JSONs) -> JSONs:
     return rules
 
 
+def user_ip() -> str:
+    """
+    Return the user's public IP address in CIDR notation.
+    """
+    url = 'https://checkip.amazonaws.com'
+    http = http_client(log)
+    response = http.request('GET', url)
+    if response.status != 200:
+        raise RuntimeError('Unexpected response %s' % url, response.status)
+    else:
+        ip_address = response.data.decode().strip()
+        log.info('Determined IP address: %s', ip_address)
+        return ip_address + '/32'
+
+
 zones_by_domain = {
     domain: Zone.for_domain(domain)
     for app in apps
@@ -147,6 +171,17 @@ def check_waf_rules(rules: JSONs) -> JSONs:
 emit_tf({
     'data': [
         {
+            'aws_nat_gateway': {
+                **{
+                    f'gitlab_{zone}': {
+                        'filter': {
+                            'name': 'tag:Name',
+                            'values': [f'azul-gitlab_{zone}']
+                        },
+                    }
+                    for zone in range(vpc.num_zones)
+                }
+            },
             'aws_route53_zone': {
                 zone.slug: {
                     'name': zone.name,
@@ -223,6 +258,22 @@ def check_waf_rules(rules: JSONs) -> JSONs:
     ],
     'resource': [
         {
+            'aws_wafv2_ip_set': {
+                'it_v4_ips': {
+                    'name': config.qualified_resource_name('it_v4_ips'),
+                    'scope': 'REGIONAL',
+                    'ip_address_version': 'IPV4',
+                    'addresses': list(chain(
+                        [
+                            f'${{data.aws_nat_gateway.gitlab_{zone}.public_ip}}/32'
+                            for zone in range(vpc.num_zones)
+                        ],
+                        [
+                            user_ip(),
+                        ]
+                    ))
+                }
+            },
             'aws_wafv2_web_acl': {
                 'api_gateway': {
                     'name': config.qualified_resource_name('api_gateway'),
@@ -501,7 +552,157 @@ def check_waf_rules(rules: JSONs) -> JSONs:
                                     config.waf_rate_limit_alarm,
                                     config.waf_rate_limit,
                                 ]
-                            ]
+                            ],
+                            {
+                                'name': 'allow_it_requests',
+                                'statement': {
+                                    'and_statement': [
+                                        {
+                                            'statement': [
+                                                {
+                                                    'ip_set_reference_statement': {
+                                                        'arn': '${aws_wafv2_ip_set.%s.arn}' % 'it_v4_ips'
+                                                    }
+                                                },
+                                                {
+                                                    'byte_match_statement': {
+                                                        'field_to_match': {
+                                                            'method': {}
+                                                        },
+                                                        'positional_constraint': 'EXACTLY',
+                                                        'search_string': 'PUT',
+                                                        'text_transformation': {
+                                                            'priority': 0,
+                                                            'type': 'NONE'
+                                                        }
+                                                    }
+                                                },
+                                                {
+                                                    'regex_match_statement': {
+                                                        'regex_string': '^(/fetch)?/manifest/files',
+                                                        'field_to_match': {
+                                                            'uri_path': {}
+                                                        },
+                                                        'text_transformation': {
+                                                            'priority': 0,
+                                                            'type': 'NONE'
+                                                        }
+                                                    }
+                                                }
+                                            ]
+                                        }
+                                    ]
+                                },
+                                'action': {
+                                    'allow': {}
+                                },
+                                'visibility_config': {
+                                    'metric_name': 'allow_it_requests',
+                                    'sampled_requests_enabled': True,
+                                    'cloudwatch_metrics_enabled': True
+                                }
+                            },
+                            {
+                                'name': config.waf_rate_limit_files.name,
+                                'statement': {
+                                    'rate_based_statement': {
+                                        'limit': config.waf_rate_limit_files.value,
+                                        'evaluation_window_sec': config.waf_rate_limit_files.period,
+                                        'aggregate_key_type': 'IP',
+                                        'scope_down_statement': {
+                                            'regex_match_statement': {
+                                                'regex_string': '^(/fetch)?/repository/files',
+                                                'field_to_match': {
+                                                    'uri_path': {}
+                                                },
+                                                'text_transformation': {
+                                                    'priority': 0,
+                                                    'type': 'NONE'
+                                                }
+                                            }
+                                        }
+                                    }
+                                },
+                                'action': {
+                                    'block': {
+                                        'custom_response': {
+                                            'response_code': 429,
+                                            'response_header': [
+                                                {
+                                                    'name': 'Retry-After',
+                                                    'value': str(config.waf_rate_limit_files.retry_after)
+                                                }
+                                            ]
+                                        }
+                                    }
+                                },
+                                'visibility_config': {
+                                    'metric_name': config.waf_rate_limit_files.name,
+                                    'sampled_requests_enabled': True,
+                                    'cloudwatch_metrics_enabled': True
+                                }
+                            },
+                            {
+                                'name': config.waf_rate_limit_manifests.name,
+                                'statement': {
+                                    'rate_based_statement': {
+                                        'limit': config.waf_rate_limit_manifests.value,
+                                        'evaluation_window_sec': config.waf_rate_limit_manifests.period,
+                                        'aggregate_key_type': 'IP',
+                                        'scope_down_statement': {
+                                            'and_statement': [
+                                                {
+                                                    'statement': [
+                                                        {
+                                                            'byte_match_statement': {
+                                                                'field_to_match': {
+                                                                    'method': {}
+                                                                },
+                                                                'positional_constraint': 'EXACTLY',
+                                                                'search_string': 'PUT',
+                                                                'text_transformation': {
+                                                                    'priority': 0,
+                                                                    'type': 'NONE'
+                                                                }
+                                                            }
+                                                        },
+                                                        {
+                                                            'regex_match_statement': {
+                                                                'regex_string': '^(/fetch)?/manifest/files',
+                                                                'field_to_match': {
+                                                                    'uri_path': {}
+                                                                },
+                                                                'text_transformation': {
+                                                                    'priority': 0,
+                                                                    'type': 'NONE'
+                                                                }
+                                                            }
+                                                        }
+                                                    ]
+                                                }
+                                            ]
+                                        }
+                                    }
+                                },
+                                'action': {
+                                    'block': {
+                                        'custom_response': {
+                                            'response_code': 429,
+                                            'response_header': [
+                                                {
+                                                    'name': 'Retry-After',
+                                                    'value': str(config.waf_rate_limit_manifests.retry_after)
+                                                }
+                                            ]
+                                        }
+                                    }
+                                },
+                                'visibility_config': {
+                                    'metric_name': config.waf_rate_limit_manifests.name,
+                                    'sampled_requests_enabled': True,
+                                    'cloudwatch_metrics_enabled': True
+                                }
+                            }
                         ])
                     ]),
                     'scope': 'REGIONAL',
