29 lines
1.1 KiB
JavaScript
29 lines
1.1 KiB
JavaScript
import rateLimit from 'express-rate-limit'
|
|
import statsd from '../lib/statsd.js'
|
|
|
|
const EXPIRES_IN_AS_SECONDS = 60
|
|
|
|
export default rateLimit({
|
|
// 1 minute
|
|
windowMs: EXPIRES_IN_AS_SECONDS * 1000,
|
|
// limit each IP to X requests per windowMs
|
|
// We currently have about 25 instances in production. That's routed
|
|
// in Azure to spread the requests to each healthy instance.
|
|
// So, the true rate limit, per `windowMs`, is this number multiplied
|
|
// by the current number of instances.
|
|
// We have see DDoS attempts against prod that hits the `/` endpoint
|
|
// (and not following the redirect to `/en`) at roughly 200k per minute.
|
|
max: process.env.NODE_ENV === 'test' ? 1000 : 100,
|
|
|
|
// Return rate limit info in the `RateLimit-*` headers
|
|
standardHeaders: true,
|
|
// Disable the `X-RateLimit-*` headers
|
|
legacyHeaders: false,
|
|
|
|
handler: (request, response, next, options) => {
|
|
const tags = [`url:${request.url}`, `ip:${request.ip}`]
|
|
statsd.increment('middleware.rate_limit', 1, tags)
|
|
response.status(options.statusCode).send(options.message)
|
|
},
|
|
})
|