LP#1361782: Add DoS protection
authorMike Rylander <mrylander@gmail.com>
Tue, 22 Nov 2022 21:38:03 +0000 (16:38 -0500)
committerGalen Charlton <gmc@equinoxOLI.org>
Thu, 23 Mar 2023 19:08:11 +0000 (15:08 -0400)
commitc88cdba786981fbab3a8a933634cc4096f5c9cb7
tree9842f9e743c1579316c35251bb61a43f217cacb1
parent2b9f993842ec272434bbef961ac17ddd90718652
LP#1361782: Add DoS protection

This commit adds two types of simple DoS protection:

 * Limit concurrent search requests per client IP address, regardless of
 the searches being performed.  This helps address issues of accidental
 spamming from a malfunctioning OPAC workstation, or crawlers of various
 types.  The limit is controlled by a global flag called
 "opac.max_concurrent_search.ip".

 * Limit the global concurrent search requests for the same query.  This
 helps address both simple and distributed DoS that send the same search
 request over and over.  The limit is controlled by a global flag called
 "opac.max_concurrent_search.query", and defaults to 20.

When the limit is exceeded in either case the client receives an HTTP
429 "Too many requests" response from the web server, and the connection
is ended.

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/Application/Search/Biblio.pm
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Search.pm
Open-ILS/src/sql/Pg/950.data.seed-values.sql
Open-ILS/src/sql/Pg/upgrade/XXXX.data.concurrent_search_global_flags.sql [new file with mode: 0644]