roddylindsay
commented
2 years ago thanks @MBS9 ... how did you test this to confirm this logic works?
Closed MBS9 closed 2 years ago
roddylindsay
commented
2 years ago thanks @MBS9 ... how did you test this to confirm this logic works?
MBS9
commented
2 years ago @roddylindsay I changed the rate limit to 1 per minute for the duration of the test. I then started streams from the command line to verify if/when they get blocked. This confirmed that (apart from the time interval) it is working. To ensure that it also works with 1 per second, I changed the limit back to 1 per second and verified that Nginx does not through any errors. This shows that Nginx has accepted the new limit without problems.
roddylindsay
commented
2 years ago can you test with connections from a different IP to make sure it's not all coming from localhost?
MBS9
commented
2 years ago @roddylindsay Sure I'll update you when it's done.
MBS9
commented
2 years ago @roddylindsay I tested it from a different IP and it worked! Frist, I set up two VMs, I started Earshot on one and opened streams (from the same VM) until it got blocked. Next, I started a stream from the other VM and it succeeded. I repeated this experiment multiple times and they always succeeded.
The only place where it can cause a problem is if it is behind a reversed proxy. Because it will block the proxy. In that case, the rate limiting needs to be on the proxy.
This PR adds rate limiting to RTMP authentication. This prevents brute force attacks.
It limits requests to one per second. It allows for occasional bursts for up to 2 requests until, on avarage, the one per second is retained.