Throttle resume / internal hello.

This commit is contained in:
Joachim Bauch 2024-05-14 14:25:08 +02:00
parent e862392872
commit 4c807c86e8
No known key found for this signature in database
GPG key ID: 77C1D22D53E15F02

27
hub.go
View file

@ -63,6 +63,7 @@ var (
NoSuchSession = NewError("no_such_session", "The session to resume does not exist.")
TokenNotValidYet = NewError("token_not_valid_yet", "The token is not valid yet.")
TokenExpired = NewError("token_expired", "The token is expired.")
TooManyRequests = NewError("too_many_requests", "Too many requests.")
// Maximum number of concurrent requests to a backend.
defaultMaxConcurrentRequestsPerHost = 8
@ -1134,8 +1135,19 @@ func (h *Hub) tryProxyResume(c HandlerClient, resumeId string, message *ClientMe
}
func (h *Hub) processHello(client HandlerClient, message *ClientMessage) {
ctx := context.TODO()
resumeId := message.Hello.ResumeId
if resumeId != "" {
throttle, err := h.throttler.CheckBruteforce(ctx, client.RemoteAddr(), "HelloResume")
if err == ErrBruteforceDetected {
client.SendMessage(message.NewErrorServerMessage(TooManyRequests))
return
} else if err != nil {
log.Printf("Error checking for bruteforce: %s", err)
client.SendMessage(message.NewWrappedErrorServerMessage(err))
return
}
data := h.decodeSessionId(resumeId, privateSessionName)
if data == nil {
statsHubSessionResumeFailed.Inc()
@ -1143,6 +1155,7 @@ func (h *Hub) processHello(client HandlerClient, message *ClientMessage) {
return
}
throttle(ctx)
client.SendMessage(message.NewErrorServerMessage(NoSuchSession))
return
}
@ -1156,6 +1169,7 @@ func (h *Hub) processHello(client HandlerClient, message *ClientMessage) {
return
}
throttle(ctx)
client.SendMessage(message.NewErrorServerMessage(NoSuchSession))
return
}
@ -1376,18 +1390,31 @@ func (h *Hub) processHelloInternal(client HandlerClient, message *ClientMessage)
return
}
ctx := context.TODO()
throttle, err := h.throttler.CheckBruteforce(ctx, client.RemoteAddr(), "HelloInternal")
if err == ErrBruteforceDetected {
client.SendMessage(message.NewErrorServerMessage(TooManyRequests))
return
} else if err != nil {
log.Printf("Error checking for bruteforce: %s", err)
client.SendMessage(message.NewWrappedErrorServerMessage(err))
return
}
// Validate internal connection.
rnd := message.Hello.Auth.internalParams.Random
mac := hmac.New(sha256.New, h.internalClientsSecret)
mac.Write([]byte(rnd)) // nolint
check := hex.EncodeToString(mac.Sum(nil))
if len(rnd) < minTokenRandomLength || check != message.Hello.Auth.internalParams.Token {
throttle(ctx)
client.SendMessage(message.NewErrorServerMessage(InvalidToken))
return
}
backend := h.backend.GetBackend(message.Hello.Auth.internalParams.parsedBackend)
if backend == nil {
throttle(ctx)
client.SendMessage(message.NewErrorServerMessage(InvalidBackendUrl))
return
}