Skip to content

feat: add IP denylist plugin for abuse prevention #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lidel merged 2 commits into from
Dec 4, 2025
Merged

feat: add IP denylist plugin for abuse prevention #79

lidel merged 2 commits into from
Dec 4, 2025

Conversation

@lidel
Copy link
Contributor

@lidel lidel commented Nov 25, 2025
edited
Loading

This PR adds denylist plugin.

It supports file-based lists with live-reload and HTTP feeds with periodic refresh.

High level

Integrates with ipparser (DNS returns no A/AAAA for blocked IPs) and acme (HTTP registration API) plugins to block denied IPs.

  • file sources: local lists with automatic reload on change
  • feed sources: HTTP lists (Spamhaus DROP, URLhaus) with caching
  • allow/deny list type: allowlists checked first to bypass denylists
  • prometheus metrics: blocked requests, list sizes, refresh status
  • client IP extraction: X-Forwarded-For and RemoteAddr for ACME broker requests
  • multiaddr IP checking: validates IPs in libp2p multiaddrs

Documentation

See docs/denylist.md in this PR.

PREVIEW: https://github.com/ipshipyard/p2p-forge/blob/feat/ip-denylist/docs/denylist.md

TLDR

Blocked DNS queries return NODATA, blocked ACME requests return HTTP 403.
This allows us to takedown IP instantly.

@lidel
feat: add IP denylist plugin for abuse prevention
643172a 
adds denylist plugin supporting file-based lists with fsnotify auto-reload
and HTTP feeds with periodic refresh. integrates with ipparser (DNS) and
acme (HTTP) plugins to block denied IPs.

- file sources: local lists with automatic reload on change
- feed sources: HTTP lists (Spamhaus DROP, URLhaus) with caching
- allow/deny list types: allowlists checked first to bypass denylists
- prometheus metrics: blocked requests, list sizes, refresh status
- client IP extraction: X-Forwarded-For and RemoteAddr for ACME requests
- multiaddr IP checking: validates IPs in libp2p multiaddrs

blocked DNS queries return NODATA, blocked ACME requests return HTTP 403.
@lidel lidel requested a review from aschmahmann November 25, 2025 23:02
@codecov
Copy link

codecov bot commented Nov 25, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 73.20819% with 157 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.06%. Comparing base (a6a2269) to head (e9515cb).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
denylist/config.go 34.86% 63 Missing and 8 partials ⚠️
denylist/feed.go 73.55% 19 Missing and 13 partials ⚠️
denylist/file.go 75.00% 13 Missing and 9 partials ⚠️
denylist/parser.go 81.57% 9 Missing and 5 partials ⚠️
denylist/prefixset.go 72.72% 3 Missing and 3 partials ⚠️
acme/writer.go 70.58% 3 Missing and 2 partials ⚠️
denylist/manager.go 88.57% 2 Missing and 2 partials ⚠️
denylist/plugin.go 90.90% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #79      +/-   ##
==========================================
+ Coverage   64.97%   68.06%   +3.09%     
==========================================
  Files          12       21       +9     
  Lines        1062     1641     +579     
==========================================
+ Hits          690     1117     +427     
- Misses        292      403     +111     
- Partials       80      121      +41

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@lidel lidel marked this pull request as ready for review November 25, 2025 23:06
@lidel
Copy link
Contributor Author

lidel commented Nov 27, 2025

Note to self: blocked until we figure out why collab cluster lost its dns names.

@lidel lidel mentioned this pull request Nov 27, 2025
Open
61 tasks
@lidel
Copy link
Contributor Author

lidel commented Dec 4, 2025

Triage: the cluster issue is specific to the client (investigation tracked in #80, still wip), we can ship this and then have separate release with client fix.

@lidel lidel self-assigned this Dec 4, 2025
@lidel
test(denylist): add tests for 304 handling and file watcher edge cases
e9515cb 
- TestFeedList304PreservesData: verify data preserved after HTTP 304
- TestFileListDeleteAndRecreate: verify reload after file delete/recreate
- TestFileListAtomicSave: verify reload after atomic save (vim-style)
@lidel lidel merged commit 3dc407d into main Dec 4, 2025
6 checks passed
@lidel lidel deleted the feat/ip-denylist branch December 4, 2025 22:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschmahmann aschmahmann Awaiting requested review from aschmahmann

Assignees

@lidel lidel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lidel