2021-12-19 10:01:50 +00:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
# lint: pylint
|
|
|
|
# pyright: basic
|
|
|
|
"""Some bot protection / rate limitation
|
|
|
|
|
2022-05-10 20:45:59 +00:00
|
|
|
To monitor rate limits and protect privacy the IP addresses are getting stored
|
2022-03-25 09:23:15 +00:00
|
|
|
with a hash so the limiter plugin knows who to block. A redis database is
|
|
|
|
needed to store the hash values.
|
|
|
|
|
2021-12-19 10:01:50 +00:00
|
|
|
Enable the plugin in ``settings.yml``:
|
|
|
|
|
|
|
|
- ``server.limiter: true``
|
|
|
|
- ``redis.url: ...`` check the value, see :ref:`settings redis`
|
|
|
|
"""
|
|
|
|
|
|
|
|
import re
|
2023-04-19 16:59:23 +00:00
|
|
|
import string
|
|
|
|
import random
|
2021-12-19 10:01:50 +00:00
|
|
|
from flask import request
|
|
|
|
|
2022-11-11 20:58:32 +00:00
|
|
|
from searx import redisdb
|
2023-02-12 11:14:15 +00:00
|
|
|
from searx.plugins import logger
|
2023-04-19 15:20:03 +00:00
|
|
|
from searx.redislib import incr_sliding_window, secret_hash
|
2021-12-19 10:01:50 +00:00
|
|
|
|
|
|
|
name = "Request limiter"
|
|
|
|
description = "Limit the number of request"
|
|
|
|
default_on = False
|
|
|
|
preference_section = 'service'
|
2023-02-12 11:14:15 +00:00
|
|
|
logger = logger.getChild('limiter')
|
2021-12-19 10:01:50 +00:00
|
|
|
|
2023-04-01 10:34:58 +00:00
|
|
|
block_user_agent = re.compile(
|
2021-12-19 10:01:50 +00:00
|
|
|
r'('
|
2023-04-01 10:34:58 +00:00
|
|
|
+ r'unknown'
|
|
|
|
+ r'|[Cc][Uu][Rr][Ll]|[wW]get|Scrapy|splash|JavaFX|FeedFetcher|python-requests|Go-http-client|Java|Jakarta|okhttp'
|
2021-12-19 10:01:50 +00:00
|
|
|
+ r'|HttpClient|Jersey|Python|libwww-perl|Ruby|SynHttpClient|UniversalFeedParser|Googlebot|GoogleImageProxy'
|
|
|
|
+ r'|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot'
|
|
|
|
+ r'|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT|Sogou|Abonti|Pixray|Spinn3r|SemrushBot|Exabot'
|
|
|
|
+ r'|ZmEu|BLEXBot|bitlybot'
|
2023-04-13 14:33:53 +00:00
|
|
|
# unmaintained Farside instances
|
|
|
|
+ r'|'
|
|
|
|
+ re.escape(r'Mozilla/5.0 (compatible; Farside/0.1.0; +https://farside.link)')
|
2023-04-30 07:49:26 +00:00
|
|
|
+ '|.*PetalBot.*'
|
2021-12-19 10:01:50 +00:00
|
|
|
+ r')'
|
|
|
|
)
|
|
|
|
|
2023-04-19 15:20:03 +00:00
|
|
|
PING_KEY = 'SearXNG_limiter.ping'
|
|
|
|
TOKEN_KEY = 'SearXNG_limiter.token'
|
|
|
|
|
|
|
|
|
|
|
|
def ping():
|
|
|
|
redis_client = redisdb.client()
|
|
|
|
user_agent = request.headers.get('User-Agent', 'unknown')
|
|
|
|
x_forwarded_for = request.headers.get('X-Forwarded-For', '')
|
|
|
|
|
|
|
|
ping_key = PING_KEY + user_agent + x_forwarded_for
|
|
|
|
redis_client.set(secret_hash(ping_key), 1, ex=600)
|
|
|
|
|
2021-12-19 10:01:50 +00:00
|
|
|
|
2023-04-19 16:59:23 +00:00
|
|
|
def get_token():
|
|
|
|
redis_client = redisdb.client()
|
|
|
|
if not redis_client:
|
|
|
|
# This function is also called when limiter is inactive / no redis DB
|
|
|
|
# (see render function in webapp.py)
|
|
|
|
return '12345678'
|
|
|
|
token = redis_client.get(TOKEN_KEY)
|
|
|
|
if token:
|
|
|
|
token = token.decode('UTF-8')
|
|
|
|
else:
|
|
|
|
token = ''.join(random.choice(string.ascii_lowercase + string.digits) for _ in range(8))
|
|
|
|
redis_client.set(TOKEN_KEY, token, ex=600)
|
|
|
|
return token
|
|
|
|
|
|
|
|
|
|
|
|
def token_is_valid(token):
|
|
|
|
valid = token == get_token()
|
|
|
|
logger.debug("token is valid --> %s", valid)
|
|
|
|
return valid
|
|
|
|
|
|
|
|
|
2022-04-06 21:46:11 +00:00
|
|
|
def is_accepted_request() -> bool:
|
2021-12-19 10:01:50 +00:00
|
|
|
# pylint: disable=too-many-return-statements
|
2022-04-06 21:46:11 +00:00
|
|
|
redis_client = redisdb.client()
|
2023-04-01 10:34:58 +00:00
|
|
|
user_agent = request.headers.get('User-Agent', 'unknown')
|
2021-12-19 10:01:50 +00:00
|
|
|
x_forwarded_for = request.headers.get('X-Forwarded-For', '')
|
|
|
|
|
2023-04-03 17:36:28 +00:00
|
|
|
if request.path == '/healthz':
|
|
|
|
return True
|
|
|
|
|
2023-04-01 10:34:58 +00:00
|
|
|
if block_user_agent.match(user_agent):
|
|
|
|
logger.debug("BLOCK %s: %s --> detected User-Agent: %s" % (x_forwarded_for, request.path, user_agent))
|
2023-02-12 11:14:15 +00:00
|
|
|
return False
|
2021-12-19 10:01:50 +00:00
|
|
|
|
2022-02-17 19:27:02 +00:00
|
|
|
if request.path == '/search':
|
2023-04-01 10:34:58 +00:00
|
|
|
|
2023-04-19 15:20:03 +00:00
|
|
|
c_burst_max = 2
|
|
|
|
c_10min_max = 10
|
|
|
|
|
|
|
|
ping_key = PING_KEY + user_agent + x_forwarded_for
|
|
|
|
if redis_client.get(secret_hash(ping_key)):
|
|
|
|
logger.debug('got a ping')
|
|
|
|
c_burst_max = 15
|
|
|
|
c_10min_max = 150
|
|
|
|
else:
|
|
|
|
logger.debug('missing a ping')
|
|
|
|
|
2022-04-06 21:46:11 +00:00
|
|
|
c_burst = incr_sliding_window(redis_client, 'IP limit, burst' + x_forwarded_for, 20)
|
|
|
|
c_10min = incr_sliding_window(redis_client, 'IP limit, 10 minutes' + x_forwarded_for, 600)
|
2023-04-19 15:20:03 +00:00
|
|
|
if c_burst > c_burst_max or c_10min > c_10min_max:
|
2023-04-19 16:59:23 +00:00
|
|
|
logger.debug("BLOCK %s: too many request", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
2022-02-17 19:27:02 +00:00
|
|
|
if len(request.headers.get('Accept-Language', '').strip()) == '':
|
2023-02-12 11:14:15 +00:00
|
|
|
logger.debug("BLOCK %s: missing Accept-Language", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
|
|
|
if request.headers.get('Connection') == 'close':
|
2023-02-12 11:14:15 +00:00
|
|
|
logger.debug("BLOCK %s: got Connection=close", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
|
|
|
accept_encoding_list = [l.strip() for l in request.headers.get('Accept-Encoding', '').split(',')]
|
2022-08-25 21:21:12 +00:00
|
|
|
if 'gzip' not in accept_encoding_list and 'deflate' not in accept_encoding_list:
|
2023-02-12 11:14:15 +00:00
|
|
|
logger.debug("BLOCK %s: suspicious Accept-Encoding", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
|
|
|
if 'text/html' not in request.accept_mimetypes:
|
2023-02-12 11:14:15 +00:00
|
|
|
logger.debug("BLOCK %s: Accept-Encoding misses text/html", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
|
|
|
if request.args.get('format', 'html') != 'html':
|
2022-04-06 21:46:11 +00:00
|
|
|
c = incr_sliding_window(redis_client, 'API limit' + x_forwarded_for, 3600)
|
2021-12-19 10:01:50 +00:00
|
|
|
if c > 4:
|
2023-02-12 11:14:15 +00:00
|
|
|
logger.debug("BLOCK %s: API limit exceeded", x_forwarded_for)
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
2023-02-12 11:14:15 +00:00
|
|
|
|
|
|
|
logger.debug(
|
|
|
|
"OK %s: '%s'" % (x_forwarded_for, request.path)
|
|
|
|
+ " || form: %s" % request.form
|
|
|
|
+ " || Accept: %s" % request.headers.get('Accept', '')
|
|
|
|
+ " || Accept-Language: %s" % request.headers.get('Accept-Language', '')
|
|
|
|
+ " || Accept-Encoding: %s" % request.headers.get('Accept-Encoding', '')
|
|
|
|
+ " || Content-Type: %s" % request.headers.get('Content-Type', '')
|
|
|
|
+ " || Content-Length: %s" % request.headers.get('Content-Length', '')
|
|
|
|
+ " || Connection: %s" % request.headers.get('Connection', '')
|
|
|
|
+ " || User-Agent: %s" % user_agent
|
|
|
|
)
|
|
|
|
|
2021-12-19 10:01:50 +00:00
|
|
|
return True
|
|
|
|
|
|
|
|
|
2022-04-06 21:46:11 +00:00
|
|
|
def pre_request():
|
|
|
|
if not is_accepted_request():
|
2022-07-05 20:57:26 +00:00
|
|
|
return 'Too Many Requests', 429
|
2022-04-06 21:46:11 +00:00
|
|
|
return None
|
2021-12-19 10:01:50 +00:00
|
|
|
|
|
|
|
|
|
|
|
def init(app, settings):
|
|
|
|
if not settings['server']['limiter']:
|
|
|
|
return False
|
|
|
|
|
2022-07-15 16:38:32 +00:00
|
|
|
if not redisdb.client():
|
|
|
|
logger.error("The limiter requires Redis") # pylint: disable=undefined-variable
|
2021-12-19 10:01:50 +00:00
|
|
|
return False
|
|
|
|
|
2022-04-06 21:46:11 +00:00
|
|
|
app.before_request(pre_request)
|
2021-12-19 10:01:50 +00:00
|
|
|
return True
|