From 50000cd9d47681390c3c45feef98fe51c7b79a0f Mon Sep 17 00:00:00 2001 From: DanConwayDev Date: Wed, 14 Jan 2026 11:42:05 +0000 Subject: Add explicit rate limits and total connection limit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Make RateLimit explicit in relay builder (500 subs, 60 events/min) - Add NGIT_MAX_CONNECTIONS config option (default: 500) - Update all 4 config locations (src, nix, docs, .env.example) - Fix documentation error: filter limit 5000→500 - Document Phase 2 deferral decision (per-IP enforcement) Addresses primary DoS vector (connection exhaustion) with minimal code. Per-IP rate limiting deferred until abuse detected in production. Related: issue ff38 (git endpoint throttling - separate concern) --- src/config.rs | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src/config.rs') diff --git a/src/config.rs b/src/config.rs index 0f0d853..0014003 100644 --- a/src/config.rs +++ b/src/config.rs @@ -469,6 +469,11 @@ pub struct Config { /// All events from these authors are blocked from both relay storage and purgatory #[arg(long, env = "NGIT_EVENT_BLACKLIST", default_value = "")] pub event_blacklist: String, + + /// Maximum total connections to the relay (default: 500) + /// Prevents connection exhaustion DoS attacks + #[arg(long, env = "NGIT_MAX_CONNECTIONS", default_value_t = 500)] + pub max_connections: usize, } impl Config { @@ -703,6 +708,7 @@ impl Config { repository_whitelist: String::new(), repository_blacklist: String::new(), event_blacklist: String::new(), + max_connections: 500, } } } -- cgit v1.2.3