EnvelopSound / Earshot

Containerized RTMP->DASH transcoder for live-streaming Higher-Order Ambisonic and other multichannel content
GNU General Public License v2.0
67 stars 7 forks source link

Rate limiting #48

Closed MBS9 closed 2 years ago

MBS9 commented 2 years ago

This PR adds rate limiting to RTMP authentication. This prevents brute force attacks.

It limits requests to one per second. It allows for occasional bursts for up to 2 requests until, on avarage, the one per second is retained.

roddylindsay commented 2 years ago

thanks @MBS9 ... how did you test this to confirm this logic works?

MBS9 commented 2 years ago

@roddylindsay I changed the rate limit to 1 per minute for the duration of the test. I then started streams from the command line to verify if/when they get blocked. This confirmed that (apart from the time interval) it is working. To ensure that it also works with 1 per second, I changed the limit back to 1 per second and verified that Nginx does not through any errors. This shows that Nginx has accepted the new limit without problems.

roddylindsay commented 2 years ago

can you test with connections from a different IP to make sure it's not all coming from localhost?

MBS9 commented 2 years ago

@roddylindsay Sure I'll update you when it's done.

MBS9 commented 2 years ago

@roddylindsay I tested it from a different IP and it worked! Frist, I set up two VMs, I started Earshot on one and opened streams (from the same VM) until it got blocked. Next, I started a stream from the other VM and it succeeded. I repeated this experiment multiple times and they always succeeded.

The only place where it can cause a problem is if it is behind a reversed proxy. Because it will block the proxy. In that case, the rate limiting needs to be on the proxy.