Well, I've done a few experiments a while back throttling, but the problem usually is that regular old nostr clients always use more bandwidth than the clients I was attempting to block (because they're just sending events and nostr users are doing tons of REQs). However, haproxy could totally throttle upgrades and etc. Here's a massive paste of some of my experiments that show bandwidth throttle and other types. It may give you some ideas of what to search for (HUGE PASTE INCOMING)
```
acl throttled_url path_beg -i /
# IPs excluded from temporary deny feature
acl throttle_exclude req.hdr_ip(X-Forwarded-For) -f /etc/haproxy/lists/throttle_exclude.lst
# Identify unique clients based on temporary header
http-request set-header X-SB-Track %[req.fhdr(Host)]_%[req.fhdr(X-Forwarded-For)]_%[req.fhdr(User-Agent)]
# base64 encode temporary tracking header
http-request set-header X-Concat %[req.fhdr(X-SB-Track),base64]
# Remove temporary tracking header
http-request del-header X-SB-Track
# stick-table for tracking HTTP request rate and the number of concurrently open connections
# We track request rate within 10-second sliding window
stick-table type binary len 64 size 100k store gpc0_rate(10s),conn_cur expire 4m
# clients that were "seen" by HAProxy
acl mark_seen sc0_inc_gpc0 gt 0
# clients that have exceeded HTTP request rate threshold
acl fast_refresher sc0_gpc0_rate gt 10
# clients that have more than 20 concurrently open connections
acl conn_limit sc0_conn_cur gt 20
ip_is_bad increments gpc0 counter every time it's evaluated
acl ip_is_bad sc1_inc_gpc0(bk_stick_blocked) gt 0
# Track X-Concat header each time throttled_url is requested
http-request track-sc0 hdr(X-Concat) if throttled_url
# Track all requests for the throttled_url in a separate stick-table (bk_stick_blocked)
http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if throttled_url
# Increment the counter and therefore block the IP that was detected as a fast_refresher
# IP is stored in stick-table bk_stick_blocked
http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if fast_refresher ip_is_bad !throttle_exclude
http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if fast_refresher ip_is_bad
# Check if the client's IP is blocked
acl ip_was_bad sc1_get_gpc0(bk_stick_blocked) gt 0
acl is-blocked-ip src -f /etc/haproxy/blocklisted.ips
http-request deny if is-blocked-ip
# Deny access to blocked IP
http-request deny if ip_was_bad !throttle_exclude
http-request deny if ip_was_bad
filter bwlim-in myuploadlimit default-limit 5000 default-period 5m
http-request set-bandwidth-limit myuploadlimit
filter bwlim-in myuploadlimit limit 62500 key src table bk_stick_rate
http-request set-bandwidth-limit myuploadlimit
http-request deny if ip_was_bad
# if the client has too many open connections, return 429 error
use_backend bk_429 if mark_seen conn_limit
# if the trusted client exceeded HTTP request rate, return 429 error
use_backend bk_429 if mark_seen fast_refresher
```
cloud fodder
npub10n…ztl5h
2024-06-20 23:51:04
in reply to nevent1q…hqj6
Author Public Key
npub10npj3gydmv40m70ehemmal6vsdyfl7tewgvz043g54p0x23y0s8qzztl5hPublished at
2024-06-20 23:51:04Event JSON
{
"id": "133016c2620a086cc1bfeba55492f0ebbdd1719289b6314738f140f9c4f6d194",
"pubkey": "7cc328a08ddb2afdf9f9be77beff4c83489ff979721827d628a542f32a247c0e",
"created_at": 1718927464,
"kind": 1,
"tags": [
[
"e",
"07f0dca2ea60a3bf7e447fc4ba8b3cd3b5f71ede243e7fdc7f0a8efab2e7cdab",
"wss://relay.damus.io/",
"root"
],
[
"e",
"b085cc0f4292d6b26e59d84c6b9f669d15df58a674c5a674d78c85faa652e55c",
"wss://relay.damus.io/",
"reply"
],
[
"p",
"0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd",
"",
"mention"
]
],
"content": "Well, I've done a few experiments a while back throttling, but the problem usually is that regular old nostr clients always use more bandwidth than the clients I was attempting to block (because they're just sending events and nostr users are doing tons of REQs). However, haproxy could totally throttle upgrades and etc. Here's a massive paste of some of my experiments that show bandwidth throttle and other types. It may give you some ideas of what to search for (HUGE PASTE INCOMING)\n\n```\n acl throttled_url path_beg -i /\n # IPs excluded from temporary deny feature\n acl throttle_exclude req.hdr_ip(X-Forwarded-For) -f /etc/haproxy/lists/throttle_exclude.lst\n # Identify unique clients based on temporary header\n http-request set-header X-SB-Track %[req.fhdr(Host)]_%[req.fhdr(X-Forwarded-For)]_%[req.fhdr(User-Agent)]\n # base64 encode temporary tracking header\n http-request set-header X-Concat %[req.fhdr(X-SB-Track),base64]\n # Remove temporary tracking header\n http-request del-header X-SB-Track\n # stick-table for tracking HTTP request rate and the number of concurrently open connections\n # We track request rate within 10-second sliding window\n stick-table type binary len 64 size 100k store gpc0_rate(10s),conn_cur expire 4m\n # clients that were \"seen\" by HAProxy\n acl mark_seen sc0_inc_gpc0 gt 0\n # clients that have exceeded HTTP request rate threshold\n acl fast_refresher sc0_gpc0_rate gt 10\n # clients that have more than 20 concurrently open connections\n acl conn_limit sc0_conn_cur gt 20\n ip_is_bad increments gpc0 counter every time it's evaluated\n acl ip_is_bad sc1_inc_gpc0(bk_stick_blocked) gt 0\n # Track X-Concat header each time throttled_url is requested\n http-request track-sc0 hdr(X-Concat) if throttled_url\n # Track all requests for the throttled_url in a separate stick-table (bk_stick_blocked)\n http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if throttled_url\n # Increment the counter and therefore block the IP that was detected as a fast_refresher\n # IP is stored in stick-table bk_stick_blocked\n http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if fast_refresher ip_is_bad !throttle_exclude\n http-request track-sc1 hdr_ip(X-Forwarded-For) table bk_stick_blocked if fast_refresher ip_is_bad\n # Check if the client's IP is blocked\n acl ip_was_bad sc1_get_gpc0(bk_stick_blocked) gt 0\n acl is-blocked-ip src -f /etc/haproxy/blocklisted.ips \n http-request deny if is-blocked-ip\n # Deny access to blocked IP\n http-request deny if ip_was_bad !throttle_exclude\n http-request deny if ip_was_bad\n filter bwlim-in myuploadlimit default-limit 5000 default-period 5m\n http-request set-bandwidth-limit myuploadlimit\n filter bwlim-in myuploadlimit limit 62500 key src table bk_stick_rate\n http-request set-bandwidth-limit myuploadlimit\n http-request deny if ip_was_bad\n # if the client has too many open connections, return 429 error\n use_backend bk_429 if mark_seen conn_limit\n # if the trusted client exceeded HTTP request rate, return 429 error\n use_backend bk_429 if mark_seen fast_refresher\n```",
"sig": "28b7523fbd2ab72c73bc6b70ed5fbe362bb38207b63433cd8c0fc6f0b18e91f7cba58c13e6be4894880751ec3ac3bb3db83e5e74e5a36db6cd0e089b3bda2b30"
}