feat: add connection tarpit for malicious bot traffic

Implements slow-drip response handler for known bot paths (wp-admin, phpmyadmin, etc.) to waste attacker resources. Includes per-IP and global connection limits, configurable delays, and random chunking. Also applies clippy lint fixes across codebase.
2026-01-31 14:26:37 -06:00 · 2026-01-05 18:19:09 -06:00
parent 553bae5a7f
commit 2a710d584e
12 changed files with 799 additions and 137 deletions
@@ -11,38 +11,35 @@ pub async fn serve_embedded_asset(uri: Uri) -> Response {

    let asset_path = path.strip_prefix('/').unwrap_or(path);

-    match CLIENT_ASSETS.get_file(asset_path) {
-        Some(file) => {
-            let mime_type = mime_guess::from_path(asset_path)
-                .first_or_octet_stream()
-                .as_ref()
-                .to_string();
+    if let Some(file) = CLIENT_ASSETS.get_file(asset_path) {
+        let mime_type = mime_guess::from_path(asset_path)
+            .first_or_octet_stream()
+            .as_ref()
+            .to_string();

-            let mut headers = axum::http::HeaderMap::new();
+        let mut headers = axum::http::HeaderMap::new();
+        headers.insert(
+            header::CONTENT_TYPE,
+            mime_type
+                .parse()
+                .unwrap_or_else(|_| header::HeaderValue::from_static("application/octet-stream")),
+        );
+
+        if path.contains("/immutable/") {
            headers.insert(
-                header::CONTENT_TYPE,
-                mime_type.parse().unwrap_or_else(|_| {
-                    header::HeaderValue::from_static("application/octet-stream")
-                }),
+                header::CACHE_CONTROL,
+                header::HeaderValue::from_static("public, max-age=31536000, immutable"),
+            );
+        } else {
+            headers.insert(
+                header::CACHE_CONTROL,
+                header::HeaderValue::from_static("public, max-age=3600"),
            );
-
-            if path.contains("/immutable/") {
-                headers.insert(
-                    header::CACHE_CONTROL,
-                    header::HeaderValue::from_static("public, max-age=31536000, immutable"),
-                );
-            } else {
-                headers.insert(
-                    header::CACHE_CONTROL,
-                    header::HeaderValue::from_static("public, max-age=3600"),
-                );
-            }
-
-            (StatusCode::OK, headers, file.contents()).into_response()
-        }
-        None => {
-            tracing::debug!(path, "Embedded asset not found");
-            (StatusCode::NOT_FOUND, "Asset not found").into_response()
        }
+
+        (StatusCode::OK, headers, file.contents()).into_response()
+    } else {
+        tracing::debug!(path, "Embedded asset not found");
+        (StatusCode::NOT_FOUND, "Asset not found").into_response()
    }
 }