feat(proxy): rate limiter + insecure-bind warning#16
Merged
Conversation
- Add a global fixed-window rate limiter (100 req/s) as axum middleware to shed unauthenticated request floods before they reach HMAC verification (a CPU-DoS vector even though forgery is infeasible). Decision logic is extracted to a pure rate_check() with unit tests. - Warn loudly when binding plain HTTP to a non-loopback address without ALLOW_INSECURE=true (containment traffic would be cleartext with no proxy in front). Non-breaking: it warns, it does not refuse, so the supported plain-HTTP-behind-reverse-proxy deployment still works.
There was a problem hiding this comment.
Pull request overview
Adds a global request-rate shedding mechanism and improves operator visibility for potentially unsafe plain-HTTP deployments.
Changes:
- Introduces a global fixed-window rate limiter (100 req/s) implemented as Axum middleware, with logic extracted into
rate_check()plus unit tests. - Adds a warning when binding plain HTTP to a non-loopback address unless
ALLOW_INSECURE=true.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+99
to
+102
| /// Fixed-window global rate-limit counter: (window start, count in | ||
| /// window). Shared across handlers to shed request floods. See | ||
| /// `rate_limit` / `rate_check`. | ||
| rate: Arc<Mutex<(Instant, u32)>>, |
Comment on lines
500
to
+504
| let app = Router::new() | ||
| .route("/health", get(health)) | ||
| .route("/execute", post(execute)) | ||
| .route("/audit/export", get(export_audit)) | ||
| .layer(middleware::from_fn_with_state(state.clone(), rate_limit)) |
Comment on lines
+539
to
+542
| let is_loopback = bind_addr | ||
| .parse::<std::net::SocketAddr>() | ||
| .map(|a| a.ip().is_loopback()) | ||
| .unwrap_or(false); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
rate_check()+ 2 unit tests.ALLOW_INSECURE=true(non-breaking).cargo test19 passed (+2),cargo fmt --check+clippy -D warningsclean. No CI configured on this repo — verified locally. (Audit-chain Python/Rust parity is deferred — it touches the tamper-evidence chain and needs shared test vectors.)🤖 Generated with Claude Code