Gatekeeper is rate limiting service and cli
MIT License
The service is designed to combat password brute-forcing during authorization in any system. The service is called before the user is authorized and can either allow or block the attempt. It is assumed that the service is used only for server-server, i.e. it is hidden from the end user.
The service limits the frequency of authorization attempts for different combinations of parameters, for example:
RATE_LOGIN = 10
attempts per minute for this login.RATE_PASSWORD = 100
attempts per minute for a given password (protection against reverse brute-force).RATE_IP = 1000
attempts per minute for a given IP (a large number, because NAT).White/black lists contain lists of network addresses, which are handled in a simpler way. If incoming ip is in whitelist - service unconditionally allows authorization (ok=true), if in blacklist - rejects (ok=false).
It uses time/rate package, which implements the token bucket algorithm.
Request:
Response:
Must clear the bucket(s) corresponding to the passed login.
Must clear the bucket(s) corresponding to the passed ip.
A command-line interface for manual administration of the service is developed. The CLI allows you to reset the bucket and manage the whitelist/blacklist. The CLI works through GRPC interface.
For the service configuration are used environment variables:
RATE_LOGIN
- number of login attempts per minute, default value: 10
RATE_PASSWORD
- number of authorization attempts per minute for password, default value: 100
RATE_IP
- number of authorization attempts per minute for IP, default value: 1000
HOST
- host on which the service will run, default value: 0.0.0.0
PORT
- port on which the service will run, default value: 50051
LOGGER_LEVEL
- logging level, possible values: DEBUG, INFO, WARN, ERRORS, PANIC, DPANIC, FATAL
, default value: INFO
LOGGER_FILE
- the name of the file that will be logged, default value: develop.log
For configuration, it is advisable to use the file .env in the root of the project.
To start or stop the service, run the commands in the project directory:
make up
- start the servicemake down
- stop the serviceWhen you start a build in docker prometheus comes up To access prometheus you need to go to: http://localhost:9090. View status: http://localhost:9090/targets