Add configurable rate limit in production mode (#44)

Signed-off-by: Emiliano Suñé <[email protected]>

docker/.env-example

@@ -4,6 +4,8 @@ APPLICATION_DOMAIN=<your-domain.test> # replace with your domain
 EMAIL_CONTACT=<[email protected]> # email contact to be used for TLS certificate issuance
 #CA_ENDPOINT=https://acme-v02.api.letsencrypt.org/directory
 #QR_CODE_EXPIRY_SECONDS=120
+#RATE_LIMIT_WINDOW=1s
+#RATE_LIMIT_EVENTS=150
 
 #Agent Settings
 AGENT_NAME=Digital Age Verification Service

docker/caddy/Caddyfile

@@ -43,9 +43,12 @@
     # Limit request rate to avoid DDoS attacks
     rate_limit {
         zone dav {
+            match {
+                not path /agent/*
+            }
             key    {remote_host}
-            window 5s
-            events 15
+            window {$RATE_LIMIT_WINDOW}
+            events {$RATE_LIMIT_EVENTS}
         }
     }
 

docker/docker-compose-prod.yaml

@@ -11,6 +11,8 @@ services:
       - AGENT_PORT=8030
       - EMAIL_CONTACT=${EMAIL_CONTACT}
       - CA_ENDPOINT=${CA_ENDPOINT:-https://acme-staging-v02.api.letsencrypt.org/directory}
+      - RATE_LIMIT_WINDOW=${RATE_LIMIT_WINDOW:-1s}
+      - RATE_LIMIT_EVENTS=${RATE_LIMIT_EVENTS:-150}
     volumes:
       - ./caddy/Caddyfile:/etc/caddy/Caddyfile
       - ./caddy/certs:/root/.local/share/caddy/certificates

docs/Docker-for-Production.md

@@ -33,3 +33,7 @@ To start from scratch and delete all existing containers and volumes, run the fo
 ## Production CA Authority
 
 By default, the project is set-up to use LetsEncrypt Staging to obtain SSL certificates: when ready to run in production mode, uncomment the line specifying `CA_ENDPOINT` in the `.env` file and restart your services.
+
+# Rate Limiting
+
+Request rate limiting can be tweaked by using the `RATE_LIMIT_WINDOW` and `RATE_LIMIT_EVENTS` environment variables - see https://github.com/mholt/caddy-ratelimit