defense-cr / defense Goto Github PK
View Code? Open in Web Editor NEW๐ฎ A Crystal HTTP handler for throttling, blocking and tracking malicious requests.
๐ฎ A Crystal HTTP handler for throttling, blocking and tracking malicious requests.
Hi
Is the documentation correct e.g.
Defense.throttle("throttle requests per minute except localhost", limit: 10, period: 60) do |request|
return nil if request.remote_address == "127.0.0.1"
request.remote_address
end
in Crystal 0.35.1 request.remote_address seems to return a type: RemoteAddressType and not a String.
or maybe this example expects a different subclass of Address
I was getting connection errors using this shard in a Lucky framework app:
Connection closed (IO::Error)
from /tmp/lucky/lib/redis/src/parser.cr:23:14 in 'read'
from /tmp/lucky/lib/redis/src/connection.cr:419:20 in 'read'
from /tmp/lucky/lib/redis/src/pipeline.cr:27:30 in 'commit'
from /tmp/lucky/lib/redis/src/connection.cr:91:16 in 'increment'
from /tmp/lucky/lib/defense/src/defense/throttle.cr:12:15 in 'matched_by?'
from /tmp/lucky/lib/defense/src/defense.cr:81:7 in 'throttled?'
from /tmp/lucky/lib/defense/src/defense/handler.cr:15:13 in 'call'
from /usr/share/crystal/src/http/server/handler.cr:30:7 in 'call_next'
from /tmp/lucky/lib/lucky/src/lucky/error_handler.cr:15:5 in 'call'
# ...
I traced this down to this line of code:
defense/src/defense/redis_store.cr
Line 18 in 4fcb71e
In the jgaskins/redis
shard, the #pipeline
command is never retried if it fails, so it is generally unreliable. I fixed this by replacing #pipeline
with #multi
:
# ...
def increment(unprefixed_key : String, expires_in : Int32) : Int64
key = prefix_key(unprefixed_key)
@redis.multi do |redis| # <= Using `#multi` instead
redis.incr(key)
redis.expire(key, expires_in)
end.first.as(Int64)
end
# ...
It has been a few days and I have not had this error since. It used to happen practically daily, taking the app offline. I had to restart the app to get it to work again.
I think this shard can be taken a bit further by allowing to digest things like SNORT rules (Intrusion Prevention System)
This will give users the ability to almost automatically filter most common web attacks.
Also a good list is the https://github.com/client9/libinjection
Crystal uses a version format which starts with a v
so it van be installed properly with shards
:
dependencies:
defense:
github: defense-cr/defense
version: 0.2.0
Which now resolves in an error:
Fetching https://github.com/defense-cr/defense.git
Failed git ls-tree -r --full-tree --name-only v0.2.0 -- shard.yml (). Maybe a commit, branch or file doesn't exist?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.