marvintherain

marvintherain

How to rate limit a public live view

Hello

Is there a way to rate limit requests to a public live view as well as the number of concurrent connections from an IP on the application level? There seem to be :ets based libs for caching like cachex and hammer but I’m struggling to integrate them.

Or is that something that needs to be solved by on the infrastructure level?

Cheers
Daniel

Marked As Solved

ruslandoga

ruslandoga

:wave: @marvintherain

Just wanted to note that you can use :ets directly, without any extra libs.

Here's a basic rate-limiter
defmodule MyApp.RateLimit do
  @moduledoc """
  Thin wrapper around `:ets.update_counter/4` and a clean-up process to act as a fixed window rate limiter.

  Based on https://github.com/michalmuskala/plug_attack
  """

  use GenServer
  @table __MODULE__

  @doc """
  Starts the process that creates and cleans the ETS table.

  Accepts the following options:
  - `:clean_period` for how often to perform garbage collection, defaults to 10 minutes
  """
  def start_link(opts) do
    GenServer.start_link(__MODULE__, opts)
  end

  @doc "Increments count and checks if it's still within limit"
  def hit(key, scale, limit, increment \\ 1) do
    now = now()
    window = div(now, scale)
    full_key = {key, window}
    expires_at = (window + 1) * scale
    count = :ets.update_counter(@table, full_key, increment, {full_key, 0, expires_at})
    if count <= limit, do: {:allow, count}, else: {:deny, _retry_after = expires_at - now}
  end

  @impl true
  def init(opts) do
    clean_period = Keyword.get(opts, :clean_period, :timer.minutes(10))

    :ets.new(@table, [
      :named_table,
      :set,
      :public,
      {:read_concurrency, true},
      {:write_concurrency, true},
      {:decentralized_counters, true}
    ])

    schedule(clean_period)
    {:ok, %{clean_period: clean_period}}
  end

  @impl true
  def handle_info(:clean, state) do
    :ets.select_delete(@table, [{{{:_, :_}, :_, :"$1"}, [], [{:<, :"$1", {:const, now()}}]}])
    schedule(state.clean_period)
    {:noreply, state}
  end

  defp schedule(clean_period) do
    Process.send_after(self(), :clean, clean_period)
  end

  @compile inline: [now: 0]
  defp now do
    System.system_time(:millisecond)
  end
end
And here's how it could be used

Start the rate-limiter, e.g. by the root supervisor

defmodule MyApp.Application do
  @moduledoc false
  use Application

  @impl true
  def start(_type, _args) do
    children = [
      # ...
      MyApp.RateLimit,
      # ...
    ]

    opts = [strategy: :one_for_one, name: MyApp.Supervisor]
    Supervisor.start_link(children, opts)
  end
end

And call it in your endpoint or a plug pipeline for the live view

Endpoint version:

defmodule MyApp.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  # ...

  # https://github.com/ajvondrak/remote_ip
  plug RemoteIp
  plug :rate_limit

  # ...
   
  plug MyApp.Router

  defp rate_limit(conn, _opts) do
    case MyApp.RateLimit.hit({:global, conn.remote_ip}, _scale = :timer.seconds(10), _limit = 10) do
      {:allow, _count} ->
        conn

      # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
      {:deny, retry_after_ms} ->
        retry_after_seconds = div(retry_after_ms, 1000)

        conn
        |> put_resp_header("retry-after", retry_after_seconds)
        |> send_resp(429, "You are too fast, and you are rate limited. Try again in #{retry_after_seconds} seconds.")
        |> halt()
    end
  end
end

Router pipeline version:

defmodule MyAppWeb.Router do
  use MyAppWeb, :router

  # ...

  pipeline :lv_rate_limit do
    # https://github.com/ajvondrak/remote_ip
    plug RemoteIp
    plug :rate_limit, "my_live"
  end

  scope "/", MyAppWeb do
    pipe_through [:browser, :lv_rate_limit]
    live "/", MyLive.Index, :index
  end

  defp rate_limit(conn, namespace) do
    case MyApp.RateLimit.hit({namespace, conn.remote_ip}, _scale = :timer.seconds(10), _limit = 10) do
      {:allow, _count} ->
        conn

      # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
      {:deny, retry_after_ms} ->
        retry_after_seconds = div(retry_after_ms, 1000)

        conn
        |> put_resp_header("retry-after", retry_after_seconds)
        |> send_resp(429, "You are too fast, and you are rate limited. Try again in #{retry_after_seconds} seconds.")
        |> halt()
    end
  end
end

Note that this assumes that your rate-limited liveivews cannot be navigated to without passing through plugs and performing an HTTP request first. If they can be, then you would also put the rate limiter into a hook or mount callbacks. Please see Security considerations — Phoenix LiveView v1.2.5

Where Next?

Popular in Questions Top

Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
shahryarjb
Hello, I have map which I want to convert it to string like this: the map: %{last_name: "tavakkoli", name: "shahryar"} the string I ne...
New
itssasanka
Hi all, Trying to get some more clarity over utc_datetime and naive_datetime for Ecto: The documentation above suggests that while ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New

Other popular topics Top

Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54120 245
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement