MCPcopy Index your code
hub / github.com/asciimoo/filtron

github.com/asciimoo/filtron @v0.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.0 ↗ · + Follow
58 symbols 153 edges 10 files 0 documented · 0% updated 3y agov0.2.0 · 2020-07-26★ 1744 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Filtron

Reverse HTTP proxy to filter requests by different rules. Can be used between production webserver and the application server to prevent abuse of the application backend.

The original purpose of this program was to defend searx, but it can be used to guard any web application.

Installation and setup

$ go get github.com/asciimoo/filtron
$ "$GOPATH/bin/filtron" --help

Rules

A rule has two required attributes: name and actions

A rule can contain all of the following attributes:

  • limit integer - Defines how many matching requests allowed to access the application within interval seconds. (Can be omitted if 0)
  • interval integer - Time range in seconds to reset rule numbers (Can be omitted if limit is 0)
  • filters list of selectors
  • aggregations list of selectors (if filters specified it activates only in case of the filter matches)
  • subrules list of rules (if filters specified it activates only in case of the filter matches)
  • disabled bool - Disable a rule (default is false)
  • stop bool - Finish request validation immediately and skip remaining rules (default is false)

JSON representation of a rule:

{
    "name": "example rule",
    "interval": 60,
    "limit": 10,
    "filters": ["GET:q", "Header:User-Agent=^curl"],
    "actions": [
        {"name": "log",
         "params": {"destination": "stderr"}},
        {"name": "block",
         "params": {"message": "Not allowed"}}
     ]
}

Explanation: Allow only 10 requests a minute where q represented as GET parameter and the user agent header starts with curl. Request is logged to STDERR and blocked with a custom error message if limit is exceeded. See more examples here.

actions

Rule's actions are sequentially activated if a request exceeds rule's limit

Note: Only the rule's first action will be executed that serves custom response

Currently implemented actions

log

Log the request

block

Serve HTTP 429 response instead of passing the request to the application

shell

Execute a shell command. cmd (string) and args (list of selectors) are required params (Example: {"name": "shell", "params": {"cmd": "echo %v is the IP", "args": ["IP"]}})

filters

If all the selectors found, it increments a counter. Rule blocks the request if counter reaches limit

aggregations

Counts the values returned by selectors. Rule blocks the request if any value's number reaches limit

subrules

Each rule can contain any number of subrules. Activates on parent rule's filter match.

Selectors

Request's different parts can be extracted using selector expressions.

Selectors are strings that can match any attribute of a HTTP request with the following syntax:

[!]RequestAttribute[:SubAttribute][=Expression]
  • ! can negate the selector
  • RequestAttribute (required) selects specific part of a request - possible values:
    • Single value
    • IP
    • Host
    • Path
    • Method
    • Multiple values
    • GET
    • POST
    • Param - it is an alias for both GET and POST
    • Cookie
    • Header
  • SubAttribute if RequestAttribute is not a single value, this can specify the inner attribute
  • Expression possible value:
    • a regular expression to filter the selected attribute values.
    • nslookup(Hostname) to filter the selected attribute values with the IP addresses of Hostname. Filtron resolves Hostname to its IP addresses when the rule is loaded (IPv4 and IPv6).

Examples

IP returns the client's IP address

GET:x returns the x GET parameter if exists

!Header:Accept-Language returns true if there is no Accept-Language HTTP header

Path=^/(x|y)$ matches if the path is /x or /y

IP=nslookup(example.com) matches if the client's IP address is one of the IP addresses of example.com.

API

Filtron can be configured through its REST API which listens on 127.0.0.1:4005 by default.

API endpoints

/rules

Loaded rules in JSON format

/rules/reload

Reload the rule file specified at startup

WebUI

UI built on the API

webui

Bugs

Bugs or suggestions? Visit the issue tracker.

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 23
Method 22
Struct 10
TypeAlias 2
Interface 1

Languages

Go100%

Modules by API surface

action/action.go20 symbols
rule/rule.go13 symbols
selector/selector.go5 symbols
proxy/proxy.go5 symbols
proxy/proxy_test.go4 symbols
selector/selector_test.go3 symbols
rule/rule_test.go3 symbols
api/api.go3 symbols
types/types.go1 symbols
filtron.go1 symbols

For agents

$ claude mcp add filtron \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page