From 89f1e6d7df751c0f3da2a0f85d8d5f1448305e84 Mon Sep 17 00:00:00 2001
From: Wade Barnes <wade@neoterictech.ca>
Date: Wed, 26 Apr 2023 07:37:51 -0700
Subject: [PATCH] Add support for rate limiting

Signed-off-by: Wade Barnes <wade@neoterictech.ca>
---
 docker/Dockerfile         | 9 +++++++++
 docker/config/Caddyfile   | 7 ++++++-
 docker/docker-compose.yml | 6 +++++-
 docker/manage             | 4 ++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index e271fe1..00340a5 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,4 +1,5 @@
 ARG build_image=node:fermium
+ARG caddy_builder_image=caddy:builder-alpine
 ARG runtime_image=caddy:alpine
 
 # build stage
@@ -9,9 +10,17 @@ RUN npm install
 COPY . .
 RUN npm run build
 
+# caddy build stage
+FROM ${caddy_builder_image} as caddy-build-stage
+
+# Install ratelimit/v0.2.0
+RUN xcaddy build \
+    --with github.com/RussellLuo/caddy-ext/ratelimit@3497b19617f19deca8a4a625a93d2b774bb0dd29
 
 # production stage
 FROM ${runtime_image} as production-stage
+
+COPY --from=caddy-build-stage /usr/bin/caddy /usr/bin/caddy
 COPY --from=build-stage /app/dist /srv
 
 # Fix permissions issue with Caddy image
diff --git a/docker/config/Caddyfile b/docker/config/Caddyfile
index 5422ec8..005e8ff 100644
--- a/docker/config/Caddyfile
+++ b/docker/config/Caddyfile
@@ -1,6 +1,7 @@
 {
     #  See https://caddy.community/t/making-sense-of-auto-https-and-why-disabling-it-still-serves-https-instead-of-http/9761
     auto_https off
+    {$RATE_LIMIT_ORDERING}
 }
 
 {$WEB_HOST_NAME}:{$WEB_HOST_PORT} {
@@ -32,9 +33,11 @@
     # Enable gzip, zstd compression
     encode zstd gzip
 
-    # Enable templates module - required for 
+    # Enable templates module - required for
     templates
 
+    {$DEFAULT_RATE_LIMIT}
+
     # Openly exposed health check endpoint for OpenShift
     respond /health 200
 
@@ -49,6 +52,7 @@
 
     # Proxy requests to API service
     route /api/* {
+        {$API_RATE_LIMIT}
         reverse_proxy {$API_HOST}:{$API_PORT} {
             header_up Host {upstream_hostport}
             header_up X-Forwarded-Host {host}
@@ -57,6 +61,7 @@
 
     # Proxy requests to Hooks
     route /hooks/* {
+        {$API_RATE_LIMIT}
         reverse_proxy {$API_HOST}:{$API_PORT} {
             header_up Host {upstream_hostport}
             header_up X-Forwarded-Host {host}
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 4a84f94..6978360 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,5 +1,5 @@
 version: "3"
-services:  
+services:
   orgbook-web:
     image: orgbook-web:latest
     environment:
@@ -8,6 +8,10 @@ services:
       WEB_HOST_TLS: ${PUBLIC_WEB_HOST_TLS}
       API_HOST: ${PUBLIC_API_HOST}
       API_PORT: ${PUBLIC_API_PORT}
+
+      RATE_LIMIT_ORDERING: ${RATE_LIMIT_ORDERING}
+      DEFAULT_RATE_LIMIT: ${DEFAULT_RATE_LIMIT}
+      API_RATE_LIMIT: ${API_RATE_LIMIT}
     volumes:
       - ./config/Caddyfile:/etc/caddy/Caddyfile
     ports:
diff --git a/docker/manage b/docker/manage
index fc08de8..87d8926 100755
--- a/docker/manage
+++ b/docker/manage
@@ -64,6 +64,10 @@ configureEnvironment() {
   export PUBLIC_WEB_HOST_TLS=${PUBLIC_WEB_HOST_TLS:-off}
   export PUBLIC_API_HOST=${PUBLIC_API_HOST:-https://orgbook.gov.bc.ca}
   export PUBLIC_API_PORT=${PUBLIC_API_PORT:-443}
+
+  export RATE_LIMIT_ORDERING=${RATE_LIMIT_ORDERING:-'order rate_limit before basicauth'}
+  export DEFAULT_RATE_LIMIT=${DEFAULT_RATE_LIMIT:-'rate_limit {remote_host} 50r/s'}
+  export API_RATE_LIMIT=${API_RATE_LIMIT:-'rate_limit {remote_host} 25r/s'}
 }
 
 cleanUpEnvironment() {