-
Notifications
You must be signed in to change notification settings - Fork 2
/
example_test.go
54 lines (45 loc) · 1.35 KB
/
example_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package tlslimit_test
import (
"crypto/tls"
"net/http"
"time"
"github.com/shaj13/tlslimit"
)
func Example() {
// Declare the actual callbacks to retrieve the server certificate
// you don't need both callbacks, choose the one that suits your application needs.
//
// Most callers prefer the GetCertificate.
getCert := func(ci *tls.ClientHelloInfo) (*tls.Certificate, error) {
// Return actual certificate.
return nil, nil
}
getConfig := func(ci *tls.ClientHelloInfo) (*tls.Config, error) {
// Return actual config.
return nil, nil
}
// Define a Limiter to enforce TLS rate limiting.
// To prevent a client from exhausting application resources
// and mitigates SSL/TLS exhaustion DDoS attacks.
//
// For Example Allow 20 TLS handshakes per minute for each client IP.
lim := tlslimit.NewLimiter(
tlslimit.WithBursts(20),
tlslimit.WithLimit(time.Minute),
tlslimit.WithTLSClientIP(),
// Use WithGetCertificate or WithGetConfigForClient
tlslimit.WithGetCertificate(getCert),
tlslimit.WithGetConfigForClient(getConfig),
)
// Tie the Limiter to the tls.Config.
cfg := &tls.Config{
// Use GetCertificate or GetConfigForClient
GetCertificate: lim.GetCertificate,
GetConfigForClient: lim.GetConfigForClient,
MinVersion: tls.VersionTLS13,
}
srv := http.Server{
TLSConfig: cfg,
}
_ = srv.ListenAndServeTLS("", "")
}