New: release rate limit per role.

* Add ratelimit configuration.
* Add rate limiting :party:

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+github: [ lukaszraczylo ]
+custom: [ monzo.me/lukaszraczylo ]

.github/workflows/test.yaml

@@ -4,14 +4,17 @@ on:
   workflow_dispatch:
   push:
     paths-ignore:
-    - '**.md'
+    - '**/**.md'
+    - '**/**.yaml'
+    - 'static/**'
     branches:
-      - "*"
+    - 'main'
 
 jobs:
   shared:
     uses: telegram-bot-app/ci-scripts/.github/workflows/build-test-publish-inject.yaml@main
     with:
       enable-code-scans: false
+      should-deploy: false
     secrets:
       ghcr-token: ${{ secrets.GHCR_TOKEN }}

Dockerfile

@@ -4,5 +4,6 @@ WORKDIR /go/src/app
 ARG TARGETARCH
 ARG TARGETOS
 ADD dist/bot-$TARGETOS-$TARGETARCH /go/src/app/graphql-proxy
+ADD static/default-ratelimit.json /app/ratelimit.json
 RUN chmod +x /go/src/app/graphql-proxy
 ENTRYPOINT ["/go/src/app/graphql-proxy"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Lukasz Raczylo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -11,7 +11,7 @@ help:  ## display this help
 
 .PHONY: run
 run: ## run application
-	@LOG_LEVEL=debug JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/v1/graphql go run *.go
+	@LOG_LEVEL=warn BLOCK_SCHEMA_INTROSPECTION=false JWT_ROLE_RATE_LIMIT=false JWT_ROLE_CLAIM_PATH="Hasura.x-hasura-default-role" JWT_USER_CLAIM_PATH="Hasura.x-hasura-user-id" HOST_GRAPHQL=https://hasura8.lan/v1/graphql go run *.go
 
 .PHONY: build
 build: ## build the binary

README.md

@@ -2,21 +2,101 @@
 
 Creates a passthrough proxy to a graphql endpoint(s), allowing you for analysis of the queries and responses, producing the prometheus metrics at a fraction of the cost - because as we know - $0 is a fair price.
 
+This project is in active use by [telegram-bot.app](https://telegram-bot.app), and was tested with 30k queries per second on a single instance, consuming 10mb of RAM and 0.1% CPU.
+
+![Example of monitoring dashboard](static/monitoring-at-glance.png?raw=true)
+
+You can find the example of the kubernetes manifest in the [example deployment](static/kubernetes-deployment.yaml) file.
+
+### Why this project exists
+
+I wanted to monitor the queries and responses of our graphql endpoint, but we didn't want to pay the price of the graphql server itself ( and I will not point fingers and certain well-known project), as monitoring and basic security features should be a common, free functionality.
+
 ### Endpoints
 
-/v1/graphql - the graphql endpoint
-/metrics - the prometheus metrics endpoint
-/healthz - the healthcheck endpoint
+* `:8080/v1/graphql` - the graphql endpoint
+* `:9393/metrics` - the prometheus metrics endpoint
+* `:8080/healthz` - the healthcheck endpoint
+
+### Features
+
+* MONITORING: Prometheus / VictoriaMetrics metrics
+* MONITORING: Extracting user id from JWT token and adding it as a label to the metrics
+* MONITORING: Extracting the query name and type and adding it as a label to the metrics
+* MONITORING: Calculating the query duration and adding it to the metrics
+* SPEED: Caching the queries
+* SECURITY: Blocking schema introspection
+* SECURITY: Rate limiting queries based on user role
 
 ### Configuration
 
-`MONITORING_PORT` - the port to expose the metrics endpoint on (default: 9393)
-`PORT_GRAPHQL` - the port to expose the graphql endpoint on (default: 8080)
-`HOST_GRAPHQL` - the host to proxy the graphql endpoint to (default: `localhost/v1/graphql`)
+* `MONITORING_PORT` - the port to expose the metrics endpoint on (default: 9393)
+* `PORT_GRAPHQL` - the port to expose the graphql endpoint on (default: 8080)
+* `HOST_GRAPHQL` - the host to proxy the graphql endpoint to (default: `http://localhost/v1/graphql`)
+* `JWT_USER_CLAIM_PATH` - the path to the user claim in the JWT token (default: ``)
+* `JWT_ROLE_CLAIM_PATH` - the path to the role claim in the JWT token (default: ``)
+* `JWT_ROLE_RATE_LIMITING` - enable request rate limiting based on the role (default: `false`)
+* `ENABLE_GLOBAL_CACHE` - enable the cache (default: `false`)
+* `CACHE_TTL` - the cache TTL (default: `60s`)
+* `LOG_LEVEL` - the log level (default: `info`)
+* `BLOCK_SCHEMA_INTROSPECTION` - blocks the schema introspection (default: `false`)
+* `ENABLE_ACCESS_LOG` - enable the access log (default: `false`)
 
-`JWT_USER_CLAIM_PATH` - the path to the user claim in the JWT token (default: ``)
+### Caching
 
-`ENABLE_CACHE` - enable the cache (default: `false`)
-`CACHE_TTL` - the cache TTL (default: `60s`)
+Cache engine is enabled in background as it does not use any additional resources.
+You can then start using the cache by setting the `ENABLE_GLOBAL_CACHE` environment variable to `true` - which will enable the cache for all queries, without introspection of the query. You can leave the global cache disabled and enable the cache for specific queries by adding the `@cache` directive to the query.
 
-`LOG_LEVEL` - the log level (default: `info`)
+### Role based rate limiting
+
+You are able to rate limit requests using the `JWT_ROLE_RATE_LIMITING` environment variable. If enabled, the proxy will rate limit the requests based on the role claim in the JWT token. You can then provide the json file in following format to specify the limits.
+Default interval is `second`, but you can use other values as well. If you want to disable the rate limiting for specific role, you can set the `req` to `0`.
+
+Available values:
+`nano`, `micro`, `milli`, `second`, `minute`, `hour`, `day`
+
+To define path in JWT token where current user role is present use the `JWT_ROLE_CLAIM_PATH` environment variable.
+
+*Default / sample configuration:*
+
+```json
+{
+  "ratelimit": {
+      "admin": {
+          "req": 100,
+          "interval": "second"
+      },
+      "guest": {
+          "req": 50,
+          "interval": "minute"
+      },
+      "-": {
+          "req": 100,
+          "interval": "day"
+      }
+  }
+}
+```
+
+If you'd like to change it - mount your configmap as `/app/ratelimit.json` file.
+Remember to include the `-` role, which is used for unauthenticated users or when claim can't be found for any reason.
+If rate limit has been reached - the proxy will return `429 Too Many Requests` error.
+
+### Monitoring endpoint
+
+Example metrics produced by the proxy:
+
+```
+graphql_proxy_timed_query_bucket{cached="false",user_id="-",op_type="mutation",op_name="updateUserDetails",vmrange="1.000e-02...1.136e-02"} 6
+graphql_proxy_timed_query_count{op_name="",cached="false",user_id="-",op_type=""} 78
+graphql_proxy_timed_query_bucket{op_name="MyQuery",cached="false",user_id="-",op_type="query",vmrange="5.995e+00...6.813e+00"} 1
+graphql_proxy_timed_query_sum{op_name="MyQuery",cached="false",user_id="-",op_type="query"} 6
+graphql_proxy_timed_query_count{op_name="MyQuery",cached="false",user_id="-",op_type="query"} 1
+graphql_proxy_executed_query{user_id="-",op_type="mutation",op_name="updateKnownSpammer",cached="false"} 1486
+graphql_proxy_executed_query{user_id="-",op_type="query",op_name="checkIfAdminsNeedRefreshing",cached="false"} 13167
+graphql_proxy_executed_query{user_id="1337",op_type="query",op_name="checkIfKnownMedia",cached="false"} 429
+graphql_proxy_executed_query{user_id="-",op_type="query",op_name="checkIfSpamAIRequiresUpdate",cached="false"} 8891
+graphql_proxy_requests_failed 324
+graphql_proxy_requests_skipped 0
+graphql_proxy_requests_succesful 454823
+```

details.go

@@ -8,7 +8,7 @@ import (
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )
 
-func extractClaimsFromJWTHeader(authorization string) (usr string) {
+func extractClaimsFromJWTHeader(authorization string) (usr string, role string) {
 	tokenParts := strings.Split(authorization, ".")
 	if len(tokenParts) != 3 {
 		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
@@ -28,11 +28,26 @@ func extractClaimsFromJWTHeader(authorization string) (usr string) {
 		cfg.Logger.Error("Can't unmarshal the claim", map[string]interface{}{"token": authorization})
 		return
 	}
-	usr, ok := ask.For(claimMap, cfg.Client.JWTUserClaimPath).String("-")
-	if !ok {
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		cfg.Logger.Error("Can't find the user id", map[string]interface{}{"claim_map": claimMap, "path": cfg.Client.JWTUserClaimPath})
-		return
+
+	if len(cfg.Client.JWTUserClaimPath) > 0 {
+		var ok bool
+		usr, ok = ask.For(claimMap, cfg.Client.JWTUserClaimPath).String("-")
+		if !ok {
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+			cfg.Logger.Error("Can't find the user id", map[string]interface{}{"claim_map": claimMap, "path": cfg.Client.JWTUserClaimPath})
+			return
+		}
 	}
-	return usr
+
+	if len(cfg.Client.JWTRoleClaimPath) > 0 {
+		var ok bool
+		role, ok = ask.For(claimMap, cfg.Client.JWTRoleClaimPath).String("-")
+		if !ok {
+			cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+			cfg.Logger.Error("Can't find the role", map[string]interface{}{"claim_map": claimMap, "path": cfg.Client.JWTRoleClaimPath})
+			return
+		}
+	}
+
+	return
 }

go.mod

@@ -9,8 +9,9 @@ require (
 	github.com/graphql-go/graphql v0.8.1
 	github.com/json-iterator/go v1.1.12
 	github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415
+	github.com/lukaszraczylo/go-ratecounter v0.1.8
 	github.com/lukaszraczylo/go-simple-graphql v1.1.31
-	github.com/telegram-bot-app/libpack v0.0.0-20231007021518-909ce2741a36
+	github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315
 )
 
 require (

go.sum

@@ -32,6 +32,8 @@ github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJw
 github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
 github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415 h1:lvI8Wlbg4PxkRcg2f10wgoaRpfN19v+YdRek3+dLtlM=
 github.com/lukaszraczylo/ask v0.0.0-20230927103145-2ff1123b4415/go.mod h1:M+UVdyqZs++xtEPrascaVmZdOMhCnxjZ2SgH+xHpR0c=
+github.com/lukaszraczylo/go-ratecounter v0.1.8 h1:ZYm6Wkn58ZAlFWRmC7PaD4oAYHWcu8/0MUDWGe3PnJQ=
+github.com/lukaszraczylo/go-ratecounter v0.1.8/go.mod h1:TqXEOCtFJStk1i0tkipprv1kiDHGon1MVUisjSTBSKM=
 github.com/lukaszraczylo/go-simple-graphql v1.1.31 h1:UA3f8M1cV+XnO8UZlAqveW0qF/2NN512eB/gRqe+BHs=
 github.com/lukaszraczylo/go-simple-graphql v1.1.31/go.mod h1:MyftQ8jTdtkYImPXJpHoxz6+E53Ydv+7q9+Jr+eT8WU=
 github.com/lukaszraczylo/pandati v0.0.29 h1:WUEWm1+hWjE5KJbIL8OctG00x2dk4XKGJSlrjhxZ55k=
@@ -63,8 +65,8 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/telegram-bot-app/lib-logging v0.0.19 h1:zbyFr2ygeBY+yuaB9moXyOGk8dIBCn0jPJQjvx7YvLE=
 github.com/telegram-bot-app/lib-logging v0.0.19/go.mod h1:n8d29fRUTdgJhC4RZ8s4lP2RHiGCCRYEj2ENEClUGc8=
-github.com/telegram-bot-app/libpack v0.0.0-20231007021518-909ce2741a36 h1:DqXg0y57Q7BziHDu85OXgo/b8OlP7/+gDZvASQCkaW0=
-github.com/telegram-bot-app/libpack v0.0.0-20231007021518-909ce2741a36/go.mod h1:W2kWHcfNNS0r++dJ1T2XX/C4cTSxI3MsoiMbOtyqu+I=
+github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315 h1:gf+3gFgtdh48RQNmLNdK1IcGqpuTuj6RAdHxDMd/YPY=
+github.com/telegram-bot-app/libpack v0.0.0-20231008100411-9f7f8bf94315/go.mod h1:W2kWHcfNNS0r++dJ1T2XX/C4cTSxI3MsoiMbOtyqu+I=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.50.0 h1:H7fweIlBm0rXLs2q0XbalvJ6r0CUPFWK3/bB4N13e9M=

graphql.go

@@ -7,7 +7,33 @@ import (
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )
 
-func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool) {
+var retrospection_queries = []string{
+	"__schema",
+	"__type",
+	"__typename",
+	"__directive",
+	"__directivelocation",
+	"__field",
+	"__inputvalue",
+	"__enumvalue",
+	"__typekind",
+	"__fieldtype",
+	"__inputobjecttype",
+	"__enumtype",
+	"__uniontype",
+	"__scalars",
+	"__objects",
+	"__interfaces",
+	"__unions",
+	"__enums",
+	"__inputobjects",
+	"__directives",
+}
+
+// Saving the introspection queries as a map O(1) operation instead of O(n) for a slice.
+var retrospectionQuerySet = make(map[string]struct{}, len(retrospection_queries))
+
+func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cacheRequest bool, should_block bool) {
 	m := make(map[string]interface{})
 	err := json.Unmarshal(c.Body(), &m)
 	if err != nil {
@@ -44,7 +70,21 @@ func parseGraphQLQuery(c *fiber.Ctx) (operationType, operationName string, cache
 					cacheRequest = true
 				}
 			}
+			if cfg.Security.BlockIntrospection {
+				for _, s := range oper.SelectionSet.Selections {
+					for _, s2 := range s.GetSelectionSet().Selections {
+						if _, exists := retrospectionQuerySet[s2.(*ast.Field).Name.Value]; exists {
+							cfg.Logger.Warning("Introspection query blocked", m)
+							cfg.Monitoring.Increment(libpack_monitoring.MetricsSkipped, nil)
+							c.Status(403).SendString("Introspection queries are not allowed")
+							should_block = true
+							return
+						}
+					}
+				}
+			}
 		}
 	}
+
 	return
 }

main.go

@@ -9,20 +9,31 @@ import (
 
 var cfg *config
 
+func init() {
+	for _, query := range retrospection_queries {
+		retrospectionQuerySet[query] = struct{}{}
+	}
+}
+
 func parseConfig() {
 	libpack_config.PKG_NAME = "graphql_proxy"
 	var c config
 	c.Server.PortGraphQL = envutil.GetInt("PORT_GRAPHQL", 8080)
 	c.Server.PortMonitoring = envutil.GetInt("MONITORING_PORT", 9393)
-	c.Server.HostGraphQL = envutil.Getenv("HOST_GRAPHQL", "localhost/v1/graphql")
+	c.Server.HostGraphQL = envutil.Getenv("HOST_GRAPHQL", "http://localhost/v1/graphql")
 	c.Client.JWTUserClaimPath = envutil.Getenv("JWT_USER_CLAIM_PATH", "")
-	c.Cache.CacheEnable = envutil.GetBool("CACHE_ENABLE", false)
+	c.Client.JWTRoleClaimPath = envutil.Getenv("JWT_ROLE_CLAIM_PATH", "")
+	c.Client.JWTRoleRateLimit = envutil.GetBool("JWT_ROLE_RATE_LIMIT", false)
+	c.Cache.CacheEnable = envutil.GetBool("ENABLE_GLOBAL_CACHE", false)
 	c.Cache.CacheTTL = envutil.GetInt("CACHE_TTL", 60)
+	c.Security.BlockIntrospection = envutil.GetBool("BLOCK_SCHEMA_INTROSPECTION", false)
 	c.Logger = libpack_logging.NewLogger()
 	c.Client.GQLClient = graphql.NewConnection()
 	c.Client.GQLClient.SetEndpoint(c.Server.HostGraphQL)
+	c.Server.AccessLog = envutil.GetBool("ENABLE_ACCESS_LOG", false)
 	cfg = &c
 	enableCache() // takes close to no resources, but can be used with dynamic query cache
+	loadRatelimitConfig()
 }
 
 func main() {

ratelimit.go

@@ -0,0 +1,84 @@
+package main
+
+import (
+	"os"
+	"time"
+
+	goratecounter "github.com/lukaszraczylo/go-ratecounter"
+)
+
+type RateLimitConfig struct {
+	Req               int    `json:"req"`
+	Interval          string `json:"interval"`
+	RateCounterTicker *goratecounter.RateCounter
+}
+
+var rateLimits map[string]RateLimitConfig
+var ratelimit_intervals = map[string]time.Duration{
+	"milli":  time.Millisecond,
+	"micro":  time.Microsecond,
+	"nano":   time.Nanosecond,
+	"second": time.Second,
+	"minute": time.Minute,
+	"hour":   time.Hour,
+	"day":    time.Hour * 24,
+}
+
+func loadRatelimitConfig() error {
+	paths := [3]string{"/app/ratelimit.json", "./ratelimit.json", "./static/default-ratelimit.json"}
+	for _, path := range paths {
+		file, err := os.Open(path)
+		if err != nil {
+			continue
+		}
+		defer file.Close()
+		decoder := json.NewDecoder(file)
+		config := struct {
+			RateLimit map[string]RateLimitConfig `json:"ratelimit"`
+		}{}
+		err = decoder.Decode(&config)
+		if err != nil {
+			return err
+		}
+
+		for key, value := range config.RateLimit {
+			value.RateCounterTicker = goratecounter.NewRateCounter().WithConfig(goratecounter.RateCounterConfig{
+				Interval: time.Duration(value.Req) * ratelimit_intervals[value.Interval],
+			})
+			cfg.Logger.Debug("Setting ratelimit config for role", map[string]interface{}{"role": key, "interval_provided": value.Interval, "interval_used": ratelimit_intervals[value.Interval], "ratelimit": value.Req})
+			config.RateLimit[key] = value
+		}
+
+		rateLimits = config.RateLimit
+		cfg.Logger.Debug("Rate limit config loaded", map[string]interface{}{"ratelimit": rateLimits})
+		return nil
+	}
+	cfg.Logger.Debug("Rate limit config not found")
+	return os.ErrNotExist
+}
+
+func rateLimitedRequest(userId string, userRole string) (shouldAllow bool) {
+	if rateLimits == nil {
+		cfg.Logger.Debug("Rate limit config not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+	// check if userRole is in rateLimits
+	if _, ok := rateLimits[userRole]; !ok {
+		cfg.Logger.Warning("Rate limit role not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	if rateLimits[userRole].RateCounterTicker == nil {
+		cfg.Logger.Warning("Rate limit ticker not found", map[string]interface{}{"user_role": userRole})
+		return true
+	}
+
+	rateLimits[userRole].RateCounterTicker.Incr(1)
+	ticker_rate := rateLimits[userRole].RateCounterTicker.GetRate()
+	cfg.Logger.Debug("Rate limit ticker", map[string]interface{}{"user_role": userRole, "user_id": userId, "rate": ticker_rate, "config_rate": rateLimits[userRole].Req, "interval": rateLimits[userRole].Interval, "interval_duration": rateLimits[userRole].Interval})
+	if ticker_rate > float64(rateLimits[userRole].Req) {
+		cfg.Logger.Debug("Rate limit exceeded", map[string]interface{}{"user_role": userRole, "user_id": userId, "rate": ticker_rate, "config_rate": rateLimits[userRole].Req, "interval": rateLimits[userRole].Interval, "interval_duration": rateLimits[userRole].Interval})
+		return false
+	}
+	return true
+}

semver.yaml

@@ -2,6 +2,7 @@ version: 1
 force:
   existing: true
   strict: false
+  minor: 1
 wording:
   patch:
     - update
@@ -10,5 +11,6 @@ wording:
   minor:
     - change
     - improve
+    - release
   major:
     - breaking

server.go

@@ -6,6 +6,7 @@ import (
 
 	fiber "github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/cors"
+
 	jsoniter "github.com/json-iterator/go"
 	libpack_monitoring "github.com/telegram-bot-app/libpack/monitoring"
 )
@@ -30,13 +31,13 @@ func StartHTTPProxy() {
 }
 
 func healthCheck(c *fiber.Ctx) error {
-	query := `{ __typename }`
-	_, err := cfg.Client.GQLClient.Query(query, nil, nil)
-	if err != nil {
-		cfg.Logger.Error("Can't reach the GraphQL server", map[string]interface{}{"error": err.Error()})
-		cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
-		return c.SendStatus(500)
-	}
+	// query := `{ __typename }`
+	// _, err := cfg.Client.GQLClient.Query(query, nil, nil)
+	// if err != nil {
+	// 	cfg.Logger.Error("Can't reach the GraphQL server", map[string]interface{}{"error": err.Error()})
+	// 	cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, nil)
+	// 	return c.SendStatus(500)
+	// }
 	return c.SendStatus(200)
 }
 
@@ -44,13 +45,27 @@ func processGraphQLRequest(c *fiber.Ctx) error {
 	t := time.Now()
 
 	var extracted_user_id string = "-"
-	var query_cache_hash string = ""
+	var extracted_role_name string = "-"
+	var query_cache_hash string
 
 	authorization := c.Request().Header.Peek("Authorization")
-	if authorization != nil && len(cfg.Client.JWTUserClaimPath) > 0 {
-		extracted_user_id = extractClaimsFromJWTHeader(string(authorization))
+	if authorization != nil && (len(cfg.Client.JWTUserClaimPath) > 0 || len(cfg.Client.JWTRoleClaimPath) > 0) {
+		extracted_user_id, extracted_role_name = extractClaimsFromJWTHeader(string(authorization))
+	}
+
+	if cfg.Client.JWTRoleRateLimit {
+		cfg.Logger.Debug("Rate limiting enabled", map[string]interface{}{"user_id": extracted_user_id, "role_name": extracted_role_name})
+		if !rateLimitedRequest(extracted_user_id, extracted_role_name) {
+			c.Status(429).SendString("Rate limit exceeded, try again later")
+			return nil
+		}
+	}
+
+	opType, opName, cache_from_query, should_block := parseGraphQLQuery(c)
+
+	if should_block {
+		return nil
 	}
-	opType, opName, cache_from_query := parseGraphQLQuery(c)
 
 	was_cached := false
 
@@ -73,7 +88,9 @@ func processGraphQLRequest(c *fiber.Ctx) error {
 	}
 	time_taken := time.Since(t)
 
-	cfg.Logger.Info("Request processed", map[string]interface{}{"ip": c.IP(), "user_id": extracted_user_id, "op_type": opType, "op_name": opName, "time": time_taken, "cache": was_cached})
+	if cfg.Server.AccessLog {
+		cfg.Logger.Info("Request processed", map[string]interface{}{"ip": c.IP(), "user_id": extracted_user_id, "op_type": opType, "op_name": opName, "time": time_taken, "cache": was_cached})
+	}
 	cfg.Monitoring.Increment(libpack_monitoring.MetricsSucceeded, nil)
 
 	labels := map[string]string{

static/default-ratelimit.json

@@ -0,0 +1,16 @@
+{
+  "ratelimit": {
+      "admin": {
+          "req": 100,
+          "interval": "second"
+      },
+      "guest": {
+          "req": 3,
+          "interval": "second"
+      },
+      "-": {
+          "req": 100,
+          "interval": "hour"
+      }
+  }
+}

static/kubernetes-deployment.yaml

@@ -0,0 +1,92 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hasura-proxy-internal
+  labels:
+    app: hasura-proxy-internal
+    type: support
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: hasura-proxy-internal
+      type: support
+  template:
+    metadata:
+      labels:
+        app: hasura-proxy-internal
+        type: support
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9393"
+        prometheus.io/path: "/metrics"
+    spec:
+      securityContext:
+        runAsUser: 65534 # nobody
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/worker
+                operator: Exists
+      containers:
+      - name: graphql-proxy
+        image: ghcr.io/lukaszraczylo/graphql-monitoring-proxy:latest
+        imagePullPolicy: Always
+        resources:
+          limits:
+            cpu: "1"
+            memory: "640Mi"
+          requests:
+            cpu: "0.75"
+            memory: "512Mi"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+        ports:
+          - name: web
+            containerPort: 8080
+          - name: monitoring
+            containerPort: 9393
+        env:
+          - name: PORT_GRAPHQL
+            value: "8080"
+          - name: MONITORING_PORT
+            value: "9393"
+          - name: HOST_GRAPHQL
+            value: http://hasura-internal:8080/v1/graphql
+          - name: ENABLE_GLOBAL_CACHE
+            value: "true"
+          - name: CACHE_TTL
+            value: "10"
+          - name: BLOCK_SCHEMA_INTROSPECTION
+            value: "true"
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hasura-proxy-internal
+  labels:
+    app: hasura-proxy-internal
+    type: support
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "9393"
+    prometheus.io/path: "/metrics"
+spec:
+  ports:
+  - name: web
+    port: 8080
+    targetPort: 8080
+  - name: monitoring
+    port: 9393
+    targetPort: 9393
+  selector:
+    app: hasura-proxy-internal
+    type: support
+  type: ClusterIP

struct_config.go

@@ -17,10 +17,13 @@ type config struct {
 		PortGraphQL    int
 		PortMonitoring int
 		HostGraphQL    string
+		AccessLog      bool
 	}
 
 	Client struct {
 		JWTUserClaimPath string
+		JWTRoleClaimPath string
+		JWTRoleRateLimit bool
 		GQLClient        *graphql.BaseClient
 	}
 
@@ -29,4 +32,8 @@ type config struct {
 		CacheTTL    int
 		CacheClient *cache.Cache
 	}
+
+	Security struct {
+		BlockIntrospection bool
+	}
 }