Readme update

Added configurable rate limiter
Enable/Disable config API from config
2026-04-30 23:08:40 +08:00 · 2025-07-09 15:22:38 +02:00 · 2025-07-09 15:01:20 +02:00 · 2025-07-04 15:06:05 +02:00
12 changed files with 102 additions and 13 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -128,9 +128,11 @@ dependencies = [
 "log",
 "mimalloc",
 "notify",
+ "once_cell",
 "pingora",
 "pingora-core",
 "pingora-http",
+ "pingora-limits",
 "pingora-proxy",
 "prometheus 0.14.0",
 "rand 0.9.1",
@@ -2085,6 +2087,15 @@ dependencies = [
 "crc32fast",
 ]

+[[package]]
+name = "pingora-limits"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a719a8cb5558ca06bd6076c97b8905d500ea556da89e132ba53d4272844f95b9"
+dependencies = [
+ "ahash",
+]
+
 [[package]]
 name = "pingora-load-balancing"
 version = "0.5.0"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,6 +19,7 @@ dashmap = "7.0.0-rc2"
 pingora-core = "0.5.0"
 pingora-proxy = "0.5.0"
 pingora-http = "0.5.0"
+pingora-limits = "0.5.0"
 #pingora-pool = "0.5.0"
 async-trait = "0.1.88"
 env_logger = "0.11.8"
@@ -48,5 +49,6 @@ lazy_static = "1.5.0"
 x509-parser = "0.17.0"
 rustls-pemfile = "2.2.0"
 tower-http = { version = "0.6.6", features = ["fs"] }
+once_cell = "1.20.2"


--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 - **TLS Termination** — Built-in OpenSSL support.
    - **Automatic load of certificates** — Automatically reads and loads certificates from a folder, without a restart.
 - **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
+- **Built in rate limiter** — Limit requests to server, by setting up upper limit for requests per seconds, per virtualhost.
 - **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
    - **Basic Auth**
    - **API Key** via `x-api-key` header
@@ -87,6 +88,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **master_key**                   | 5aeff7f9-7b94-447c-af60-e8c488544a3e | Master key for working with API server and JWT Secret generation                                 |
 | **file_server_folder**           | /some/local/folder                   | Optional, local folder to serve                                                                  |
 | **file_server_address**          | 127.0.0.1:3002                       | Optional, Local address for file server. Can set as upstream for public access                   |
+| **config_api_enabled**           | true                                 | Boolean to enable/disable remote config push capability                                          |

 ### 🌐 `upstreams.yaml`

@@ -114,6 +116,24 @@ File names:
 | `aralez-aarch64-musl.gz`  | Static Linux ARM64 binary, without any system dependency      |
 | `aralez-aarch64-glibc.gz` | Dynamic Linux ARM64 binary, with minimal system dependencies  |

+## 💡 Note
+
+In general **glibc** builds are working faster, but have few, basic, system dependencies for example :
+
+```
+	linux-vdso.so.1 (0x00007ffeea33b000)
+	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f09e7377000)
+	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f09e6320000)
+	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f09e613f000)
+	/lib64/ld-linux-x86-64.so.2 (0x00007f09e73b1000)
+```
+
+These are common to any Linux systems, so the binary should work on almost any Linux system.
+
+**musl** builds are 100% portable, static compiled binaries and have zero system depencecies.
+In general musl builds have a little less performance.
+The most intensive tests shows 107k-110k requests per second on **Glibc** binaries against 97k-100k **Musl** ones.
+
 ## 🔌 Running the Proxy

 ```bash
@@ -146,6 +166,7 @@ A sample `upstreams.yaml` entry:
 provider: "file"
 sticky_sessions: false
 to_https: false
+rate_limit: 10
 headers:
  - "Access-Control-Allow-Origin:*"
  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
@@ -176,13 +197,17 @@ myhost.mydomain.com:

 - Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
 - HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
+- Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
+    - Requests limits are calculated per requester ip plus requested virtualhost.
+    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
+    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
 - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
 - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
    - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
-    - Self signed certificates are silently accepted.
- Global headers (CORS for this case) will be injected to all upstreams
+    - Self-signed certificates are silently accepted.
+- Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
 - You can choose any path, deep nested paths are supported, the best match chosen.
 - All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
--- a/etc/main.yaml
+++ b/etc/main.yaml
@@ -7,6 +7,7 @@ upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections
 pid_file: /tmp/aralez.pid # Path to PID file
 error_log: /tmp/aralez_err.log # Path to error log
 upgrade_sock: /tmp/aralez.sock # Path to socket file
+config_api_enabled: true # Boolean to enable/disable remote config push capability.
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
 config_tls_certificate: etc/server.crt # Mandatory if config_tls_address is set
@@ -20,4 +21,4 @@ upstreams_conf: etc/upstreams.yaml # the location of upstreams file
 log_level: info # info, warn, error, debug, trace, off
 hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE
 hc_interval: 2 #Interval for health checks in seconds
-master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
+master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret
--- a/etc/upstreams.yaml
+++ b/etc/upstreams.yaml
@@ -2,6 +2,7 @@
 provider: "file" # consul
 sticky_sessions: false
 to_ssl: false
+#rate_limit: 100
 headers:
  - "Access-Control-Allow-Origin:*"
  - "Access-Control-Allow-Methods:POST, GET, OPTIONS"
--- a/src/utils/discovery.rs
+++ b/src/utils/discovery.rs
@@ -9,6 +9,7 @@ pub struct FromFileProvider {
    pub path: String,
 }
 pub struct APIUpstreamProvider {
+    pub config_api_enabled: bool,
    pub address: String,
    pub masterkey: String,
    pub tls_address: Option<String>,
--- a/src/utils/parceyaml.rs
+++ b/src/utils/parceyaml.rs
@@ -16,6 +16,7 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
            sticky_sessions: false,
            to_https: None,
            authentication: DashMap::new(),
+            rate_limit: None,
        },
    };
    toreturn.upstreams = UpstreamsDashMap::new();
@@ -55,9 +56,9 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
                }
                global_headers.insert("/".to_string(), hl);
                toreturn.headers.insert("GLOBAL_HEADERS".to_string(), global_headers);
-
                toreturn.extraparams.sticky_sessions = parsed.sticky_sessions;
                toreturn.extraparams.to_https = parsed.to_https;
+                toreturn.extraparams.rate_limit = parsed.rate_limit;
            }
            if let Some(auth) = &parsed.authorization {
                let name = auth.get("type").unwrap().to_string();
@@ -67,7 +68,6 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
            } else {
                toreturn.extraparams.authentication = DashMap::new();
            }
-
            match parsed.provider.as_str() {
                "file" => {
                    toreturn.typecfg = "file".to_string();
--- a/src/utils/structs.rs
+++ b/src/utils/structs.rs
@@ -19,6 +19,7 @@ pub struct Extraparams {
    pub sticky_sessions: bool,
    pub to_https: Option<bool>,
    pub authentication: DashMap<String, Vec<String>>,
+    pub rate_limit: Option<isize>,
 }

 #[derive(Clone, Debug, Serialize, Deserialize)]
@@ -37,11 +38,13 @@ pub struct Config {
    pub headers: Option<Vec<String>>,
    pub authorization: Option<HashMap<String, String>>,
    pub consul: Option<Consul>,
+    pub rate_limit: Option<isize>,
 }

 #[derive(Debug, Serialize, Deserialize)]
 pub struct HostConfig {
    pub paths: HashMap<String, PathConfig>,
+    pub rate_limit: Option<isize>,
 }

 #[derive(Debug, Serialize, Deserialize)]
@@ -49,6 +52,7 @@ pub struct PathConfig {
    pub servers: Vec<String>,
    pub to_https: Option<bool>,
    pub headers: Option<Vec<String>>,
+    pub rate_limit: Option<isize>,
 }
 #[derive(Debug)]
 pub struct Configuration {
@@ -68,6 +72,7 @@ pub struct AppConfig {
    pub master_key: String,
    pub config_address: String,
    pub proxy_address_http: String,
+    pub config_api_enabled: bool,
    pub config_tls_address: Option<String>,
    pub config_tls_certificate: Option<String>,
    pub config_tls_key_file: Option<String>,
--- a/src/web/bgservice.rs
+++ b/src/web/bgservice.rs
@@ -36,6 +36,7 @@ impl BackgroundService for LB {
        let api_load = APIUpstreamProvider {
            address: self.config.config_address.clone(),
            masterkey: self.config.master_key.clone(),
+            config_api_enabled: self.config.config_api_enabled.clone(),
            tls_address: self.config.config_tls_address.clone(),
            tls_certificate: self.config.config_tls_certificate.clone(),
            tls_key_file: self.config.config_tls_key_file.clone(),
@@ -66,6 +67,7 @@ impl BackgroundService for LB {
                            new.sticky_sessions = ss.extraparams.sticky_sessions;
                            new.to_https = ss.extraparams.to_https;
                            new.authentication = ss.extraparams.authentication.clone();
+                            new.rate_limit = ss.extraparams.rate_limit;
                            self.extraparams.store(Arc::new(new));
                            self.headers.clear();

--- a/src/web/proxyhttp.rs
+++ b/src/web/proxyhttp.rs
@@ -6,13 +6,16 @@ use arc_swap::ArcSwap;
 use async_trait::async_trait;
 use axum::body::Bytes;
 use log::{debug, warn};
+use once_cell::sync::Lazy;
 use pingora::http::{RequestHeader, ResponseHeader, StatusCode};
 use pingora::prelude::*;
 use pingora::ErrorSource::Upstream;
 use pingora_core::listeners::ALPN;
 use pingora_core::prelude::HttpPeer;
+use pingora_limits::rate::Rate;
 use pingora_proxy::{ProxyHttp, Session};
 use std::sync::Arc;
+use std::time::Duration;
 use tokio::time::Instant;

 #[derive(Clone)]
@@ -30,7 +33,12 @@ pub struct Context {
    to_https: bool,
    redirect_to: String,
    start_time: Instant,
+    hostname: Option<String>,
 }
+// Rate limiter
+static RATE_LIMITER: Lazy<Rate> = Lazy::new(|| Rate::new(Duration::from_secs(1)));
+// max request per second per client
+// static MAX_REQ_PER_SEC: isize = 1;

 #[async_trait]
 impl ProxyHttp for LB {
@@ -41,6 +49,7 @@ impl ProxyHttp for LB {
            to_https: false,
            redirect_to: String::new(),
            start_time: Instant::now(),
+            hostname: None,
        }
    }
    async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
@@ -52,11 +61,32 @@ impl ProxyHttp for LB {
                return Ok(true);
            }
        };
+
+        let hostname = return_header_host(&session);
+        _ctx.hostname = hostname.clone();
+        if let Some(rate) = self.extraparams.load().rate_limit {
+            match hostname {
+                None => return Ok(false),
+                Some(host) => {
+                    let curr_window_requests = RATE_LIMITER.observe(&host, 1);
+                    if curr_window_requests > rate {
+                        let mut header = ResponseHeader::build(429, None).unwrap();
+                        header.insert_header("X-Rate-Limit-Limit", rate.to_string()).unwrap();
+                        header.insert_header("X-Rate-Limit-Remaining", "0").unwrap();
+                        header.insert_header("X-Rate-Limit-Reset", "1").unwrap();
+                        session.set_keepalive(None);
+                        session.write_response_header(Box::new(header), true).await?;
+                        debug!("Rate limited: {:?}, {}", session.client_addr(), rate);
+                        return Ok(true);
+                    }
+                }
+            };
+        }
        Ok(false)
    }
    async fn upstream_peer(&self, session: &mut Session, ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> {
-        let host_name = return_header_host(&session);
-        match host_name {
+        // let host_name = return_header_host(&session);
+        match ctx.hostname.as_ref() {
            Some(hostname) => {
                let mut backend_id = None;

@@ -84,7 +114,7 @@ impl ProxyHttp for LB {
                            peer.options.alpn = ALPN::H2;
                        }
                        if ssl {
-                            peer.sni = hostname.to_string();
+                            peer.sni = hostname.clone();
                            peer.options.verify_cert = false;
                            peer.options.verify_hostname = false;
                        }
@@ -172,7 +202,8 @@ impl ProxyHttp for LB {
            redirect_response.insert_header("Content-Length", "0")?;
            session.write_response_header(Box::new(redirect_response), false).await?;
        }
-        match return_header_host(&session) {
+        // match return_header_host(&session) {
+        match ctx.hostname.as_ref() {
            Some(host) => {
                let path = session.req_header().uri.path();
                let host_header = host;
@@ -215,17 +246,17 @@ impl ProxyHttp for LB {
    }
 }

-fn return_header_host(session: &Session) -> Option<&str> {
+fn return_header_host(session: &Session) -> Option<String> {
    if session.is_http2() {
        match session.req_header().uri.host() {
-            Some(host) => Option::from(host),
+            Some(host) => Option::from(host.to_string()),
            None => None,
        }
    } else {
        match session.req_header().headers.get("host") {
            Some(host) => {
                let header_host = host.to_str().unwrap().splitn(2, ':').collect::<Vec<&str>>();
-                Option::from(header_host[0])
+                Option::from(header_host[0].to_string())
            }
            None => None,
        }
--- a/src/web/start.rs
+++ b/src/web/start.rs
@@ -33,6 +33,7 @@ pub fn run() {
        sticky_sessions: false,
        to_https: None,
        authentication: DashMap::new(),
+        rate_limit: None,
    }));

    let cfg = Arc::new(maincfg);
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -35,6 +35,7 @@ struct OutToken {
 struct AppState {
    master_key: String,
    config_sender: Sender<Configuration>,
+    config_api_enabled: bool,
 }

 #[allow(unused_mut)]
@@ -42,6 +43,7 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
    let app_state = AppState {
        master_key: config.masterkey.clone(),
        config_sender: to_return.clone(),
+        config_api_enabled: config.config_api_enabled.clone(),
    };

    let app = Router::new()
@@ -81,8 +83,15 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
 }

 async fn conf(State(mut st): State<AppState>, Query(params): Query<HashMap<String, String>>, content: String) -> impl IntoResponse {
+    if !st.config_api_enabled {
+        return Response::builder()
+            .status(StatusCode::FORBIDDEN)
+            .body(Body::from("Config remote API is disabled !\n"))
+            .unwrap();
+    }
+
    if let Some(s) = params.get("key") {
-        if s.to_owned() == st.master_key.to_owned() {
+        if s.to_owned() == st.master_key {
            if let Some(serverlist) = crate::utils::parceyaml::load_configuration(content.as_str(), "content") {
                st.config_sender.send(serverlist).await.unwrap();
                return Response::builder().status(StatusCode::OK).body(Body::from("Config, conf file, updated !\n")).unwrap();
Author	SHA1	Message	Date
Ara Sadoyan	21e1276ff5	Readme update	2025-07-09 15:22:38 +02:00
Ara Sadoyan	8463cdabbc	Added configurable rate limiter	2025-07-09 15:01:20 +02:00
Ara Sadoyan	d0e4b52ce6	Enable/Disable config API from config	2025-07-04 15:06:05 +02:00