- Fix Rely exclusively on
socket.destroySoon
for consistency across H1/H2 - Fix Fixed several tests
- Feature Add support for
errorResponseDelay
option
- Feature Add support for closing http/2 connections
- Feature Add support for adjusting IP throttle rate based on host ratio
- Feature Add support for throttling based on host ratio
- Breaking Options remain identical but rate limiting is now
based on
maxAge
as the window of time, so if you have a rate limit of10
RPS using the defaultmaxAge
of 10s 100 requests will come in before anything is blocked
This release is about simplifying options, improved performance, and predictable results (less "magic").
- Breaking
maxHostRate
option work the similar as before, but now requireminHostRate
to be set as well so that rate limiting is based on the lag ratio betweenminLag
andmaxLag
. Additionally host rate limiting is enabled by default - Breaking
maxIpRate
option work the similar as before, but now requireminIpRate
to be set as well so that rate limiting is based on the lag ratio betweenminLag
andmaxLag
. IP rate limiting remains disabled by default - Breaking
behindProxy
has been replaced withhttpBehindProxy
andhttpsBehindProxy
to account for possible differences between bindings - Breaking
exemptLocalAddress
has been removed in favor of existing whitelisting. This "feature" was highly flawed and could potentially flag any internal NAT addresses as exempt when the intention is really only to exempt the immediate host - Breaking All
Threshold
options have been removed blocking has shifted entirely to rate limiting viaminHostRate
andminIpRate
. Additionally minimum request options have been removed, but rate limiting now must meetminHostRate
orminIpRate
- Debug Expose
id
property on cache items and export utils
- Feature Normalize hosts to drop ports and
www
subdomain
- Tuning Default
maxAge
has been dropped from 60 to 10 seconds which greatly increases the accuracy of throttling - Fix Lag ratios and thresholds were being computed incorrectly and resulting in far fewer blocks while lag/load is present than expected
- Feature A subtle but major change no longer tracks hosts & IPs if they are bad. This allows for accurate rate limiting and auto-recovery when overwhelmed. This change will also greatly reduce the memory footprint required during times of high load
- Critical Fix If monitoring of host or IP monitoring
was disabled (via
minHostRequests=0
orminIpRequests=0
) the middleware would cease to block any traffic as it would behave as whitelisted - Critical Fix LRU eviction was resulting in incorrect counts and thus skewing how ratios are calculated
- Tuning Stale purging is now based on time instead of
request counts to provide more stable memory management.
Additionally
maxAge
default has been reduced from 2 to 1 minutes to avoid needless memory waste
- Feature Support for rate limiting when no lag is present via
maxHostRate
and/ormaxIpRate
options - Tuning
minHostRequests
default dropped from50
to30
for faster reaction time,maxAge
dropped from 10 minutes to 2 minutes to avoid wasted memory, andhistorySize
dropped from500
to300
to avoid wasted memory
- Feature Support for disabling
badHost
viaminHostRequests:false
and disablingbadIp
viaminIpRequests:false
- Feature Support for disabling
badHost
viaminHostRequests:false
and disablingbadIp
viaminIpRequests:false
- Fix
172.*
space added to localhost IP check to support docker
- Feature Mitigation strategy has shifted to use a lag range
(between
minLag
&maxLag
) which is used to determine at any given time how aggressive throttling should be. Throttling habits are now proportional to the lag/load, and throttling is prioritized based on the the worst offenders. This also removes the need forwaitForHistory
,hostBadActorSplit
, andipBadActorSplit
.minBadActorThreshold
&maxBadActorThreshold
indicate the min/max range for the requests that will be blocked in proportion to the lag - Feature Shifting strategies to an LRU in combination with
minHostRequests
&minIpRequests
allows us to much more quickly begin blocking bad traffic (5x improvement at startup with default config), in addition to progressive updates as statistics are calculated in real time and no longer lag behind the gianthistorySize
window to detect shifts in traffic patterns - Feature With the addition of
exemptLocalAddress
we will no longer block (by default) or even track localhost requests, which is especially important for healthchecks not failing
- Change No longer export
ConnectQOS
asdefault
, export as itself
- Feature
hitRatio
has been replaced byhostBadActorSplit
andipBadActorSplit
so that we're throttling the top offenders regardless if they hit an arbitrary percentage of traffic - Feature Support for TypeScript has modern language features
- Feature Support for
waitForHistory
(enabled by default) which preventsuserLag
from being triggered prematurely before we have sufficient evidence/history - Feature Official pre-request bad actor support (such as TLS SNI)
- Fix Calling
isBadHost
orisBadIp
will now update history. This will make for more accurate bad actor detection for scenarios that leverage pre-request tracking (such as TLS SNI) in cases that result in large volumes of pre-middlware rejections - Feature Support for
hostWhitelist
andipWhitelist
options if you want to prevent certains hosts or IP's from ever being blocked - Feature Full test suite (that should have been in 1.0!)
- Security Only support
x-forwarded-for
header ifbehindProxy
set totrue
.
- Fix
options
was not being adhered to
- Feature Support for
getMiddleware({ beforeThrottle })
- Feature Support for
req.reason
for throttling
- Fix getMiddleware was not referencing
this
instance
- Fix Options were not defaulting
- Breaking
getMiddleware
is now part of the prototype so that instance functions are accessible
- Add support for errorStatusCode option and expose new methods isBadHost and isBadIp