- Fix Rely exclusively on
socket.destroySoonfor consistency across H1/H2 - Fix Fixed several tests
- Feature Add support for
errorResponseDelayoption
- Feature Add support for closing http/2 connections
- Feature Add support for adjusting IP throttle rate based on host ratio
- Feature Add support for throttling based on host ratio
- Breaking Options remain identical but rate limiting is now
based on
maxAgeas the window of time, so if you have a rate limit of10RPS using the defaultmaxAgeof 10s 100 requests will come in before anything is blocked
This release is about simplifying options, improved performance, and predictable results (less "magic").
- Breaking
maxHostRateoption work the similar as before, but now requireminHostRateto be set as well so that rate limiting is based on the lag ratio betweenminLagandmaxLag. Additionally host rate limiting is enabled by default - Breaking
maxIpRateoption work the similar as before, but now requireminIpRateto be set as well so that rate limiting is based on the lag ratio betweenminLagandmaxLag. IP rate limiting remains disabled by default - Breaking
behindProxyhas been replaced withhttpBehindProxyandhttpsBehindProxyto account for possible differences between bindings - Breaking
exemptLocalAddresshas been removed in favor of existing whitelisting. This "feature" was highly flawed and could potentially flag any internal NAT addresses as exempt when the intention is really only to exempt the immediate host - Breaking All
Thresholdoptions have been removed blocking has shifted entirely to rate limiting viaminHostRateandminIpRate. Additionally minimum request options have been removed, but rate limiting now must meetminHostRateorminIpRate
- Debug Expose
idproperty on cache items and export utils
- Feature Normalize hosts to drop ports and
wwwsubdomain
- Tuning Default
maxAgehas been dropped from 60 to 10 seconds which greatly increases the accuracy of throttling - Fix Lag ratios and thresholds were being computed incorrectly and resulting in far fewer blocks while lag/load is present than expected
- Feature A subtle but major change no longer tracks hosts & IPs if they are bad. This allows for accurate rate limiting and auto-recovery when overwhelmed. This change will also greatly reduce the memory footprint required during times of high load
- Critical Fix If monitoring of host or IP monitoring
was disabled (via
minHostRequests=0orminIpRequests=0) the middleware would cease to block any traffic as it would behave as whitelisted - Critical Fix LRU eviction was resulting in incorrect counts and thus skewing how ratios are calculated
- Tuning Stale purging is now based on time instead of
request counts to provide more stable memory management.
Additionally
maxAgedefault has been reduced from 2 to 1 minutes to avoid needless memory waste
- Feature Support for rate limiting when no lag is present via
maxHostRateand/ormaxIpRateoptions - Tuning
minHostRequestsdefault dropped from50to30for faster reaction time,maxAgedropped from 10 minutes to 2 minutes to avoid wasted memory, andhistorySizedropped from500to300to avoid wasted memory
- Feature Support for disabling
badHostviaminHostRequests:falseand disablingbadIpviaminIpRequests:false
- Feature Support for disabling
badHostviaminHostRequests:falseand disablingbadIpviaminIpRequests:false
- Fix
172.*space added to localhost IP check to support docker
- Feature Mitigation strategy has shifted to use a lag range
(between
minLag&maxLag) which is used to determine at any given time how aggressive throttling should be. Throttling habits are now proportional to the lag/load, and throttling is prioritized based on the the worst offenders. This also removes the need forwaitForHistory,hostBadActorSplit, andipBadActorSplit.minBadActorThreshold&maxBadActorThresholdindicate the min/max range for the requests that will be blocked in proportion to the lag - Feature Shifting strategies to an LRU in combination with
minHostRequests&minIpRequestsallows us to much more quickly begin blocking bad traffic (5x improvement at startup with default config), in addition to progressive updates as statistics are calculated in real time and no longer lag behind the gianthistorySizewindow to detect shifts in traffic patterns - Feature With the addition of
exemptLocalAddresswe will no longer block (by default) or even track localhost requests, which is especially important for healthchecks not failing
- Change No longer export
ConnectQOSasdefault, export as itself
- Feature
hitRatiohas been replaced byhostBadActorSplitandipBadActorSplitso that we're throttling the top offenders regardless if they hit an arbitrary percentage of traffic - Feature Support for TypeScript has modern language features
- Feature Support for
waitForHistory(enabled by default) which preventsuserLagfrom being triggered prematurely before we have sufficient evidence/history - Feature Official pre-request bad actor support (such as TLS SNI)
- Fix Calling
isBadHostorisBadIpwill now update history. This will make for more accurate bad actor detection for scenarios that leverage pre-request tracking (such as TLS SNI) in cases that result in large volumes of pre-middlware rejections - Feature Support for
hostWhitelistandipWhitelistoptions if you want to prevent certains hosts or IP's from ever being blocked - Feature Full test suite (that should have been in 1.0!)
- Security Only support
x-forwarded-forheader ifbehindProxyset totrue.
- Fix
optionswas not being adhered to
- Feature Support for
getMiddleware({ beforeThrottle }) - Feature Support for
req.reasonfor throttling
- Fix getMiddleware was not referencing
thisinstance
- Fix Options were not defaulting
- Breaking
getMiddlewareis now part of the prototype so that instance functions are accessible
- Add support for errorStatusCode option and expose new methods isBadHost and isBadIp