Configuration - Traffic
Eicrud provides various ways to limit traffic to your application.
export class WatchTrafficOptions{
maxTrackedUsers: number = 10000;
maxTrackedIPs: number = 10000;
userRequestsThreshold: number = 350;
ipRequestsThreshold: number = 700;
totalTimeoutThreshold: number = 5;
timeoutDurationMinutes: number = 15;
useForwardedIp: boolean = false;
ddosProtection: boolean = false;
userTrafficProtection: boolean = true;
userTrafficCache: TrafficCache = null;
ipTrafficCache: TrafficCache = null;
ipTimeoutCache: TrafficCache = null;
}
import { WatchTrafficOptions } from '@eicrud/core/authentication'
const watchTrafficOptions = new WatchTrafficOptions();
@Injectable()
export class MyConfigService extends CrudConfigService {
constructor(/* ... */) {
super({ watchTrafficOptions, /* ... */})
}
//..
}
Watch user traffic
Activate with userTrafficProtection
(defaults to true
).
Limit user traffic to userRequestsThreshold
request every 5 min. Exceeding that limit will trigger an incident (onHighTrafficEvent).
Note
Traffic incidents lower the user's trust score.
After totalTimeoutThreshold
incidents, the user will be timed out for timeoutDurationMinutes
* user.timeoutCount
on each consecutive incident.
If you want a specific user to bypass these limits, you can set CrudRole->allowedTrafficMultiplier
to x (is allowed the traffic of x users).
maxTrackedUsers
indicates how many users your application will track in its RAM cache (users with lower traffic are deleted first).
DDOS Protection
Activate with ddosProtection
(defaults to false
).
After exceeding ipRequestsThreshold
requests in 5 minutes, IP will be timed out for timeoutDurationMinutes
.
maxTrackedIPs
indicates how many IPs your application will track in its RAM cache (IPs with lower traffic are deleted first).
useForwardedIp
indicates if the value from the x-forwarded-for
header should be used instead of the request IP.
Warning
If your application is behind a reverse proxy or a load balancer, all incoming requests will have the same IP address. To avoid any issues make sure to set the x-forwarded-for
header in your proxy and to use the useForwardedIp
option.
Note
Some internet provider may group their client under common IPs, leading to false positives. You should consider other DDOS protection services as your application grows. This protection is rudimentary and only suitable for low-traffic applications.
Distributed Cache
Tracked users and IPs are cached on RAM by default. You can use a distributed cache of your choice by setting userTrafficCache
, ipTrafficCache
and ipTimeoutCache
.
The caches must implement the TrafficCache
interface.
export interface TrafficCache {
get: (key: string) => Promise<any>;
set: (key: string, value: any) => Promise<any>;
inc: (key: string, increment: number, currentValue: number) => Promise<any>;
}
userTrafficCache
and ipTrafficCache
must clear themselves every 5 min.
Note
If your application's entry consists of multiple instances, caching in RAM will make traffic protections ineffective. Consider using a distributed cache to make it work.