[RPC] Enforce rate limiting

[666lcz]

Rate-limiting by IP address

[666lcz]

@patrickkuo , would you like to take this one for the JSON-RPC server?

[666lcz]

@patrickkuo , assigning this to you for now since you implement the RPC endpoint. We should implement the rate limiting as a middleware. Let me know if you are not the right owner

[patrickkuo]

What's the priority of this issue? I can work on this after the OpenRPC doc and schema works.

[666lcz]

I believe this one has a higher priority than the doc and schema, because we don't want the server to be overwhelmed by malicious attackers or a heavy application cc @todd-mystenlabs

[patrickkuo]

jsonrpsee have build in resource limiting capability, can use this to enforce rate limiting very easily
https://github.com/paritytech/jsonrpsee/blob/20e6e5de40214e0b88e475d87bf14e465123eaba/core/src/server/resource_limiting.rs#L54-L86

[todd-mystenlabs]

Talk to @bmwill / @mystenmark re: HAproxy.

Talk to @huitseeker re: application-layer rate limiting.

[mystenmark]

For devnet, we need something very simple given the tight time frame. I suggest:

• have some way to see where a DoS attack is coming from
• have a script or well-documented method for adding the offending IP(s) to a firewall rule.

[patrickkuo]

Do we want to build this into the JSON-RPC server?

Currently jsonrpsee only support very basic "resource limiting" functionality, it can limit number of concurrent requests but cannot enforce limit by IP, and the middleware api provided does not contain request header/ IP address (looks like they have plan to add it but there are no timeline).

Alternatively can we use something like AWS WAF?

[todd-mystenlabs]

I think long-term we want something intelligent that the network can use that would help any operator. Short-term (for devnet launch), we have a few options that will apply to our own running node: (1) we can put HAproxy in front of this (@bmwill / @mystenmark); and (2) we may have additional protection via external means.