prosody: enable rate limits (#1536)

docker-compose.yml

@@ -227,6 +227,12 @@ services:
             - MAX_PARTICIPANTS
             - PROSODY_RESERVATION_ENABLED
             - PROSODY_RESERVATION_REST_BASE_URL
+            - PROSODY_ENABLE_RATE_LIMITS
+            - PROSODY_RATE_LIMIT_LOGIN_RATE
+            - PROSODY_RATE_LIMIT_SESSION_RATE
+            - PROSODY_RATE_LIMIT_TIMEOUT
+            - PROSODY_RATE_LIMIT_ALLOW_RANGES
+            - PROSODY_RATE_LIMIT_CACHE_SIZE
             - PUBLIC_URL
             - TURN_CREDENTIALS
             - TURN_HOST

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -18,6 +18,7 @@
 {{ $ENABLE_END_CONFERENCE := .Env.ENABLE_END_CONFERENCE | default "true" | toBool }}
 {{ $ENABLE_XMPP_WEBSOCKET := .Env.ENABLE_XMPP_WEBSOCKET | default "1" | toBool }}
 {{ $ENABLE_JAAS_COMPONENTS := .Env.ENABLE_JAAS_COMPONENTS | default "0" | toBool }}
+{{ $ENABLE_RATE_LIMITS := .Env.PROSODY_ENABLE_RATE_LIMITS | default "0" | toBool }}
 {{ $PUBLIC_URL := .Env.PUBLIC_URL | default "https://localhost:8443" -}}
 {{ $PUBLIC_URL_DOMAIN := $PUBLIC_URL | trimPrefix "https://" | trimSuffix "/" -}}
 {{ $TURN_PORT := .Env.TURN_PORT | default "443" }}
@@ -31,10 +32,17 @@
 {{ $XMPP_MUC_DOMAIN := .Env.XMPP_MUC_DOMAIN | default "muc.meet.jitsi" -}}
 {{ $XMPP_MUC_DOMAIN_PREFIX := (split "." $XMPP_MUC_DOMAIN)._0 }}
 {{ $XMPP_RECORDER_DOMAIN := .Env.XMPP_RECORDER_DOMAIN | default "recorder.meet.jitsi" -}}
+{{ $JIBRI_RECORDER_USER := .Env.JIBRI_RECORDER_USER | default "recorder" -}}
+{{ $JIGASI_TRANSCRIBER_USER := .Env.JIGASI_TRANSCRIBER_USER | default "transcriber" -}}
 {{ $DISABLE_POLLS := .Env.DISABLE_POLLS | default "false" | toBool -}}
 {{ $ENABLE_SUBDOMAINS := .Env.ENABLE_SUBDOMAINS | default "true" | toBool -}}
 {{ $PROSODY_RESERVATION_ENABLED := .Env.PROSODY_RESERVATION_ENABLED | default "false" | toBool }}
 {{ $PROSODY_RESERVATION_REST_BASE_URL := .Env.PROSODY_RESERVATION_REST_BASE_URL | default "" }}
+{{ $RATE_LIMIT_LOGIN_RATE := .Env.PROSODY_RATE_LIMIT_LOGIN_RATE | default "3" }}
+{{ $RATE_LIMIT_SESSION_RATE := .Env.PROSODY_RATE_LIMIT_SESSION_RATE | default "200" }}
+{{ $RATE_LIMIT_TIMEOUT := .Env.PROSODY_RATE_LIMIT_TIMEOUT | default "60" }}
+{{ $RATE_LIMIT_ALLOW_RANGES := (splitList "," .Env.PROSODY_RATE_LIMIT_ALLOW_RANGES) | default ["10.0.0.0/8"] }}
+{{ $RATE_LIMIT_CACHE_SIZE := .Env.PROSODY_RATE_LIMIT_CACHE_SIZE | default "10000" }}
 {{ $ENV := .Env -}}
 
 admins = {
@@ -268,10 +276,39 @@ Component "{{ $XMPP_MUC_DOMAIN }}" "muc"
         {{ if $ENABLE_SUBDOMAINS -}}
         "muc_domain_mapper";
         {{ end -}}
+        {{ if $ENABLE_RATE_LIMITS -}}
+        "muc_rate_limit";
+        "rate_limit";
+        {{ end -}}
         {{ if .Env.MAX_PARTICIPANTS }}
         "muc_max_occupants";
         {{ end }}
     }
+
+    {{ if $ENABLE_RATE_LIMITS -}}
+    -- Max allowed join/login rate in events per second.
+	rate_limit_login_rate = {{ $RATE_LIMIT_LOGIN_RATE }};
+	-- The rate to which sessions from IPs exceeding the join rate will be limited, in bytes per second.
+	rate_limit_session_rate = {{ $RATE_LIMIT_SESSION_RATE }};
+	-- The time in seconds, after which the limit for an IP address is lifted.
+	rate_limit_timeout = {{ $RATE_LIMIT_TIMEOUT }};
+	-- List of regular expressions for IP addresses that are not limited by this module.
+	rate_limit_whitelist = {
+      "127.0.0.1";
+      {{ range $index, $cidr := $RATE_LIMIT_ALLOW_RANGES -}}
+      "{{ $cidr }}";
+      {{ end -}}
+    };
+
+    rate_limit_whitelist_jids = {
+        "{{ $JIBRI_RECORDER_USER }}@{{ $XMPP_RECORDER_DOMAIN }}",
+        "{{ $JIGASI_TRANSCRIBER_USER }}@{{ $XMPP_RECORDER_DOMAIN }}"    
+    }
+    {{ end -}}
+
+	-- The size of the cache that saves state for IP addresses
+	rate_limit_cache_size = {{ $RATE_LIMIT_CACHE_SIZE }};
+
     muc_room_cache_size = 1000
     muc_room_locking = false
     muc_room_default_public_jids = true
@@ -308,7 +345,13 @@ Component "lobby.{{ $XMPP_DOMAIN }}" "muc"
     restrict_room_creation = true
     muc_room_locking = false
     muc_room_default_public_jids = true
-{{ end }}
+    modules_enabled = {
+        {{ if $ENABLE_RATE_LIMITS -}}
+        "muc_rate_limit";
+        {{ end -}}
+    }
+
+    {{ end }}
 
 {{ if $ENABLE_BREAKOUT_ROOMS }}
 Component "breakout.{{ $XMPP_DOMAIN }}" "muc"
@@ -324,6 +367,9 @@ Component "breakout.{{ $XMPP_DOMAIN }}" "muc"
         {{ if not $DISABLE_POLLS -}}
         "polls";
         {{ end -}}
+        {{ if $ENABLE_RATE_LIMITS -}}
+        "muc_rate_limit";
+        {{ end -}}
     }
 {{ end }}