Caddy - add Caddy HTTP Rate Limit Module

[Roeda]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [ x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [x ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [ x] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. As I use caddy as a reverse proxy for api first applications. A would suggest a solution for rate limiting that is actively supported.

Describe the solution you'd like @Monviech , I would like to propose the integration of Caddy HTTP Rate Limit Module, developped by Caddy author.

Describe alternatives you've consideredN/A

Additional context N/A

[Monviech]

Hey, this looks like a rather big addition. It would need a contributer.

Here is an example how to extend this plugin with an additional optional module: https://github.com/opnsense/plugins/pull/4112

Additionally to that, the caddy-custom build would need to include this module. Check the opnsense/tools repository.

Im leaving this open if somebody wants to contribute this functionality with a PR.

[Roeda]

Hey, this looks like a rather big addition. It would need a contributer.

@Monviech I have admittedly not clearly defined the scope of my request. Allow me to clarify: I use the caddy plugin exclusively through /caddy.d config files. Since rate limiting is a very recommended security feature, I am hoping you could add the http rate limit module into the caddy build without any UI addition at all. People who need this feature will want to modify the caddy file manually anyway in my opinion. Maybe if/when the feature gains popularity the community can ultimately step up regarding a future UI.

thank you in advance.

[Monviech]

Thanks for clarifying. Im unsure about adding a module to the build that is not exposed in the GUI.

@fichtner whats your opinion on this?

[fichtner]

We do it sometimes. The question is if it poses a risk to others or if it bloats the build too much. Risk of future breakage also is a factor, but less problematic because then it can just be removed again if in need to fix the build.

[Roeda]

We do it sometimes. The question is if it poses a risk to others or if it bloats the build too much. Risk of future breakage also is a factor, but less problematic because then it can just be removed again if in need to fix the build.

My reading into it is that the risk factor is not applicable in this use case., and it is not a heavy module either : as long as it is not called it will not have any performance or security impact from my understanding. ( the positive impact, however, is important for who will use it. And it does align with the objectives of a security suite like opnsense) But I think you’ll be more positioned to judge ofc.

[Monviech]

Since its a module from mholt directly I see no issue adding it to the build. I'll evaluate it later and if my test xcaddy build works I'll add it to the opnsense/tools built.

[Monviech]

@Roeda The new pkg will come automatically with the next OPNsense version (community).

[Roeda]

thank you very much sir