Skip to content

Commit 0b809f0

Browse files
committed
1 parent 91e15d4 commit 0b809f0

5 files changed

Lines changed: 289 additions & 109 deletions

File tree

fa/features/secrets/index.html

Lines changed: 72 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -1086,6 +1086,17 @@
10861086
</span>
10871087
</a>
10881088

1089+
</li>
1090+
1091+
<li class="md-nav__item">
1092+
<a href="#per-ip-rate-limiting" class="md-nav__link">
1093+
<span class="md-ellipsis">
1094+
1095+
Per-IP Rate Limiting
1096+
1097+
</span>
1098+
</a>
1099+
10891100
</li>
10901101

10911102
<li class="md-nav__item">
@@ -1580,6 +1591,17 @@
15801591
</span>
15811592
</a>
15821593

1594+
</li>
1595+
1596+
<li class="md-nav__item">
1597+
<a href="#per-ip-rate-limiting" class="md-nav__link">
1598+
<span class="md-ellipsis">
1599+
1600+
Per-IP Rate Limiting
1601+
1602+
</span>
1603+
</a>
1604+
15831605
</li>
15841606

15851607
<li class="md-nav__item">
@@ -1728,16 +1750,37 @@ <h2 id="per-secret-quotas">Per-Secret Quotas<a class="headerlink" href="#per-sec
17281750
<li><strong>Stats:</strong> <code>secret_guest_quota 10737418240</code>, <code>secret_guest_bytes_total 5368709120</code>, <code>secret_guest_rejected_quota 3</code></li>
17291751
<li><strong>Prometheus:</strong> <code>teleproxy_secret_quota_bytes{secret="guest"} 10737418240</code>, <code>teleproxy_secret_bytes_total{secret="guest"} 5368709120</code></li>
17301752
</ul>
1731-
<h2 id="per-secret-unique-ip-limits">Per-Secret Unique IP Limits<a class="headerlink" href="#per-secret-unique-ip-limits" title="Permanent link">&para;</a></h2>
1732-
<p>Cap how many distinct client IPs can use a secret simultaneously. Additional connections from an already-connected IP are allowed.</p>
1753+
<h2 id="per-ip-rate-limiting">Per-IP Rate Limiting<a class="headerlink" href="#per-ip-rate-limiting" title="Permanent link">&para;</a></h2>
1754+
<p>Cap real-time throughput per source IP. Uses a token bucket algorithm — each IP gets a bucket that refills at the configured rate. When the bucket is empty, reads are paused until tokens refill. Unlike quota (which closes connections), rate limiting throttles via TCP backpressure — users see slower speeds, not dropped connections.</p>
17331755
<p>TOML config:</p>
17341756
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="k">[[secret]]</span>
17351757
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe...ab&quot;</span>
1736-
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;guest&quot;</span>
1737-
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">5</span>
1758+
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;shared&quot;</span>
1759+
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="n">rate_limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;10M&quot;</span><span class="w"> </span><span class="c1"># 10 MB/s per IP (accepts: bytes/sec int, or &quot;500K&quot;, &quot;10M&quot;)</span>
17381760
</code></pre></div>
17391761
<p>Docker:</p>
1740-
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="nv">SECRET_MAX_IPS_1</span><span class="o">=</span><span class="m">5</span>
1762+
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="nv">SECRET_RATE_LIMIT_1</span><span class="o">=</span><span class="m">10485760</span><span class="w"> </span><span class="c1"># 10 MB/s in bytes/sec</span>
1763+
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="c1"># or human-readable:</span>
1764+
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="nv">SECRET_RATE_LIMIT_1</span><span class="o">=</span>10M
1765+
</code></pre></div>
1766+
<p>The rate limit is combined (received + sent) per source IP. Burst size is 1 second of tokens — a new connection can burst up to the rate limit before throttling kicks in.</p>
1767+
<p>Multi-worker note: with <code>-M N</code> workers, each enforces <code>rate_limit / N</code> independently.</p>
1768+
<p>Reloadable: changing <code>rate_limit</code> on SIGHUP takes effect immediately for new data.</p>
1769+
<p>Metrics:</p>
1770+
<ul>
1771+
<li><strong>Stats:</strong> <code>secret_shared_rate_limit 10485760</code>, <code>secret_shared_rate_limited 42</code></li>
1772+
<li><strong>Prometheus:</strong> <code>teleproxy_secret_rate_limit_bytes{secret="shared"} 10485760</code>, <code>teleproxy_secret_rate_limited_total{secret="shared"} 42</code></li>
1773+
</ul>
1774+
<h2 id="per-secret-unique-ip-limits">Per-Secret Unique IP Limits<a class="headerlink" href="#per-secret-unique-ip-limits" title="Permanent link">&para;</a></h2>
1775+
<p>Cap how many distinct client IPs can use a secret simultaneously. Additional connections from an already-connected IP are allowed.</p>
1776+
<p>TOML config:</p>
1777+
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="k">[[secret]]</span>
1778+
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe...ab&quot;</span>
1779+
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;guest&quot;</span>
1780+
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">5</span>
1781+
</code></pre></div>
1782+
<p>Docker:</p>
1783+
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="nv">SECRET_MAX_IPS_1</span><span class="o">=</span><span class="m">5</span>
17411784
</code></pre></div>
17421785
<p>Metrics:</p>
17431786
<ul>
@@ -1747,15 +1790,15 @@ <h2 id="per-secret-unique-ip-limits">Per-Secret Unique IP Limits<a class="header
17471790
<h2 id="secret-expiration">Secret Expiration<a class="headerlink" href="#secret-expiration" title="Permanent link">&para;</a></h2>
17481791
<p>Auto-disable a secret after a timestamp. New connections are rejected; existing connections continue until they close naturally.</p>
17491792
<p>TOML config:</p>
1750-
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="k">[[secret]]</span>
1751-
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe...ab&quot;</span>
1752-
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;temp&quot;</span>
1753-
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2025-06-30T23:59:59Z</span><span class="w"> </span><span class="c1"># TOML datetime (UTC)</span>
1754-
<a id="__codelineno-13-5" name="__codelineno-13-5" href="#__codelineno-13-5"></a><span class="c1"># or: expires = 1751327999 # Unix timestamp</span>
1793+
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="k">[[secret]]</span>
1794+
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe...ab&quot;</span>
1795+
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;temp&quot;</span>
1796+
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2025-06-30T23:59:59Z</span><span class="w"> </span><span class="c1"># TOML datetime (UTC)</span>
1797+
<a id="__codelineno-15-5" name="__codelineno-15-5" href="#__codelineno-15-5"></a><span class="c1"># or: expires = 1751327999 # Unix timestamp</span>
17551798
</code></pre></div>
17561799
<p>Docker:</p>
1757-
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="nv">SECRET_EXPIRES_1</span><span class="o">=</span><span class="m">2025</span>-06-30T23:59:59Z
1758-
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="c1"># or: SECRET_EXPIRES_1=1751327999</span>
1800+
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="nv">SECRET_EXPIRES_1</span><span class="o">=</span><span class="m">2025</span>-06-30T23:59:59Z
1801+
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="c1"># or: SECRET_EXPIRES_1=1751327999</span>
17591802
</code></pre></div>
17601803
<p>Metrics:</p>
17611804
<ul>
@@ -1764,21 +1807,23 @@ <h2 id="secret-expiration">Secret Expiration<a class="headerlink" href="#secret-
17641807
</ul>
17651808
<h2 id="toml-config-example">TOML Config Example<a class="headerlink" href="#toml-config-example" title="Permanent link">&para;</a></h2>
17661809
<p>All per-secret features combined:</p>
1767-
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="k">[[secret]]</span>
1768-
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe01234567890abcafe01234567890a&quot;</span>
1769-
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;family&quot;</span>
1770-
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="n">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">100</span>
1771-
<a id="__codelineno-15-5" name="__codelineno-15-5" href="#__codelineno-15-5"></a><span class="n">quota</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;50G&quot;</span>
1772-
<a id="__codelineno-15-6" name="__codelineno-15-6" href="#__codelineno-15-6"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">10</span>
1773-
<a id="__codelineno-15-7" name="__codelineno-15-7" href="#__codelineno-15-7"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2026-12-31T23:59:59Z</span>
1774-
<a id="__codelineno-15-8" name="__codelineno-15-8" href="#__codelineno-15-8"></a>
1775-
<a id="__codelineno-15-9" name="__codelineno-15-9" href="#__codelineno-15-9"></a><span class="k">[[secret]]</span>
1776-
<a id="__codelineno-15-10" name="__codelineno-15-10" href="#__codelineno-15-10"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;dead01234567890abcead01234567890a&quot;</span>
1777-
<a id="__codelineno-15-11" name="__codelineno-15-11" href="#__codelineno-15-11"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;guest&quot;</span>
1778-
<a id="__codelineno-15-12" name="__codelineno-15-12" href="#__codelineno-15-12"></a><span class="n">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">50</span>
1779-
<a id="__codelineno-15-13" name="__codelineno-15-13" href="#__codelineno-15-13"></a><span class="n">quota</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;5G&quot;</span>
1780-
<a id="__codelineno-15-14" name="__codelineno-15-14" href="#__codelineno-15-14"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">3</span>
1781-
<a id="__codelineno-15-15" name="__codelineno-15-15" href="#__codelineno-15-15"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2025-06-30T00:00:00Z</span>
1810+
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="k">[[secret]]</span>
1811+
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cafe01234567890abcafe01234567890a&quot;</span>
1812+
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;family&quot;</span>
1813+
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="n">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">100</span>
1814+
<a id="__codelineno-17-5" name="__codelineno-17-5" href="#__codelineno-17-5"></a><span class="n">quota</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;50G&quot;</span>
1815+
<a id="__codelineno-17-6" name="__codelineno-17-6" href="#__codelineno-17-6"></a><span class="n">rate_limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;10M&quot;</span>
1816+
<a id="__codelineno-17-7" name="__codelineno-17-7" href="#__codelineno-17-7"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">10</span>
1817+
<a id="__codelineno-17-8" name="__codelineno-17-8" href="#__codelineno-17-8"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2026-12-31T23:59:59Z</span>
1818+
<a id="__codelineno-17-9" name="__codelineno-17-9" href="#__codelineno-17-9"></a>
1819+
<a id="__codelineno-17-10" name="__codelineno-17-10" href="#__codelineno-17-10"></a><span class="k">[[secret]]</span>
1820+
<a id="__codelineno-17-11" name="__codelineno-17-11" href="#__codelineno-17-11"></a><span class="n">key</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;dead01234567890abcead01234567890a&quot;</span>
1821+
<a id="__codelineno-17-12" name="__codelineno-17-12" href="#__codelineno-17-12"></a><span class="n">label</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;guest&quot;</span>
1822+
<a id="__codelineno-17-13" name="__codelineno-17-13" href="#__codelineno-17-13"></a><span class="n">limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">50</span>
1823+
<a id="__codelineno-17-14" name="__codelineno-17-14" href="#__codelineno-17-14"></a><span class="n">quota</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;5G&quot;</span>
1824+
<a id="__codelineno-17-15" name="__codelineno-17-15" href="#__codelineno-17-15"></a><span class="n">rate_limit</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2M&quot;</span>
1825+
<a id="__codelineno-17-16" name="__codelineno-17-16" href="#__codelineno-17-16"></a><span class="n">max_ips</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">3</span>
1826+
<a id="__codelineno-17-17" name="__codelineno-17-17" href="#__codelineno-17-17"></a><span class="n">expires</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ld">2025-06-30T00:00:00Z</span>
17821827
</code></pre></div>
17831828

17841829

0 commit comments

Comments
 (0)