Rate limiting added to factomd-api-proxy

Previous Updates
Secured
-----------------------------------
ORIGINAL PLEDGES START
-----------------------------------
-OTHER

--Pure infrastructure ANO

--Infrastructure will be released to the community as an open source "infrastructure as code" framework

--Collaborate with other ANOs to determine best practices and innovations for ANO infrastructure

--Active participation in Factom/ANO Governance

-TESTNET

-- Two testnet nodes

- PLEDGED EFFICIENCY
2 nodes: 65%
1 node: 55%
-----------------------------------
ORIGINAL PLEDGES END
-----------------------------------
Secured
factomd-api-proxy

Bedrock Solutions is proud to announce the release of a multifunction proxy for the factomd API port. The proxy enhances the factomd API port by providing common features needed in most deployments.

The current version, as of this writing, is 0.4.0

Quick Feature List
  • Intelligent, Kubernetes-ready Container
  • CORS
  • SSL/TLS
  • Health Check
  • Access Control Whitelist
  • Strict Protocol Operation

Simple Example with Default Configuration

To create a proxy for the Factom Inc. courtesy node, listening on port 80, simply execute:

docker run -p 80:8080 --name factomd-proxy bedrocksolutions/factomd-api-proxy:0.4.0

Helpful Links
Motivation

Over the past year of working with factomd, a handful of use-cases have resurfaced again and again. This proxy is an attempt to solve those use-cases once and for all. Our intention is to deliver something that not only saves people time and effort, but also becomes a central piece of community infrastructure. We hope that Factom community developers will rally around this project by suggesting features and submitting bugs.

Features

Intelligent, Kubernetes-ready Container

The Docker container housing the proxy is much more than a thin wrapper. It serves as a high-level abstraction that provides a clean, YAML configuration API to container clients. Configuration files are actively monitored, with configuration being automatically reloaded upon file changes. This obviates the need to restart the container in most cases. These features allow the container to dovetail naturally into orchestration environments like Kubernetes.

CORS

The proxy implements the bulk of the CORS specification.

The proxy currently has three CORS modes: disabled, wildcard, and regex. Internal, server-to-server apps can just leave it disabled. If a public endpoint is being run, such as the Factom Open Node, then the ‘wildcard’ mode should be enabled. If an application-specific endpoint is being run, then 'regex' mode should be enabled to restrict browser traffic.

SSL/TLS

Correct configuration of SSL/TLS is non-trivial; numerous security problems exist. Several enhanced security features are available to mitigate them, but they require specific configuration options to be enabled. The proxy supports all major SSL/TLS security features, and gives an A+ rating on the SSL Labs test (https://www.ssllabs.com/ssltest) with a sufficiently strong certificate.

Health Check

The factomd API does not have a simple GET-verb endpoint that works well with cloud providers such as CloudFlare and Google Cloud Platform. This makes deploying the API problematic in many situations. This proxy adds a `GET /` endpoint that returns a meaningful status along with a detailed diagnostic payload.

Access Control Whitelist

Access to the proxy's API port can be easily restricted by providing a list of IP addresses and IP networks that are allowed to connect.

Strict Protocol Operation

Only a very small number of method/URI combinations are allowed. The JSON RPC request payload is parsed and validated. This reduces the number of bad requests forwarded to factomd.

Roadmap

The proxy is under active development, and is now a high priority for Bedrock Solutions. Planned enhancements include:

Rate Limiting

Having the ability to define separate rate limiting policies for API reads and writes is a pressing issue. The proxy will support this ASAP.

Runtime Metrics

Being able to see inside the proxy during its operation is a must have feature.

Support

Support is available in our Discord channel: https://discord.gg/5cbEYdP
Secured
Bedrock Solutions LLC is excited to present our first major Authority Node Operator (ANO) update. We have come a long way since being onboarded into the Factom Authority Set in October 2018. The Factom community is full of brilliant people and hard working companies, and our experience as an ANO has reaffirmed our choice to work with the Factom protocol. Although we campaigned as a high efficiency (65%) infrastructure ANO, we work full time to push Factom toward becoming the default global data integrity protocol. In this update, we’ll discuss how we are doing this with our development projects, grants, nodes, efficiency, and governance participation.

Projects

Factom Infrastructure Framework
We have pledged to release an open source infrastructure-as-code framework for deploying Factom nodes. We started working on this while setting up our own infrastructure using a number of Ansible playbooks that we developed internally. We have open sourced and released over a dozen Ansible roles, which are building blocks of factomd infrastructure. We have decided not to release our higher level playbooks to minimize the security risk to our servers, but we will consider releasing them once we are able to move to the next iteration of our infrastructure. If anyone is using or interested in using Ansible to manage your Authority Node infrastructure, please reach out and we will be happy to show and share our Ansible code.

We are shifting our focus away from Ansible and are building a new and improved infrastructure framework using Kubernetes and Docker. Kubernetes allows us to replace bloated VMs with scalable, lightweight cluster machines, and Docker increases the ease of deployment and configuration management. We are currently running two testnet followers and the tfa-bot on various Kubernetes clusters. We are making good progress and closing in on the initial release.

MyFactomWallet
MyFactomWallet (MFW) is a collaborative effort between Bedrock Solutions and The Factoid Authority. We released MFW in November, 2018 as the first open source Factom web-wallet with Ledger Nano S support. Bedrock Solutions built the MFW web application, and we will continue to improve this resource for the Factom community. We want to thank the rest of the on-chain voting grant team, Factomatic, Factoshi, and LUCIAP for their help with preparing for the release.

Factom API Proxy
Last week, we released a proxy for the factomd API port that adds and enhances several features when deploying factomd including CORS and SSL.


TFA Bot Docker Image and Kubernetes Helm Chart
We released a Docker container for the TFA Bot software built by The Factoid Authority. The container provides a lightweight build and streamlined deployment.

Grants

Factom Open Node
Bedrock Solutions, Blockchain Innovation Foundation, CryptoLogic, DeFacto, and The Factoid Authority were awarded the Factom Open Node grant to provide a free load-balanced API endpoint for Factomd. This node is used by a number of applications, including MyFactomWallet, and will be the default sync node in an upcoming Factom Enterprise Wallet release.

On-chain Voting Protocol
The On-chain Voting Protocol grant is bringing fully auditable on-chain voting to Factom. This is a fundamental building block for the eventual full implementation of Factom Governance with standing parties. The grant team is currently working on the final two milestones: testing the generic on-chain voting application and releasing a final report.

Factom Identity on Ledger Nano S
Bedrock Solutions and The Factoid Authority were awarded this grant to bring Ledger Nano S support for the new Factom identity specification. This will allow secure signing of data using a Ledger Nano S device.

Nodes

Our primary responsibility as an ANO is to provide reliable Authority Nodes to the Factom network. We have worked extensively on our internal infrastructure-as-code, and on our monitoring and administrative processes to ensure maximum uptime and responsiveness to issues. During the past two network outages in September and January, we were quick to respond and played an active role in providing assistance to the Core and Technical Committee to help get the network running again.

We took down our two testnet nodes in December, 2018 when we started working on running Factom nodes in Kubernetes, as a part of our ongoing infrastructure research. We recently deployed two testnet follower nodes using our soon to be released Kubernetes Helm chart.

Efficiency

We are operating at our pledged 65% efficiency, which means we donate 65% of our server rewards to the Factom Grant Pool. We are considering lowering our efficiency to better reflect our ANO contributions.

Governance and Community

We are actively involved with governance and the community. Effective governance is critical for the long term success of Factom. Here are some of the ways we have been involved since being onboarded:

  • Voted in all governance polls on Factomize to our knowledge
  • Participated in discussions on Factomize and Discord
  • Attended all ANO meetings and most Guide meetings
  • Attended the ANO Summit in Austin
  • Joined the On-chain Governance Working Group
  • Participated in Marketing Committee interview where we advocated for increased focus on developer outreach on FactomProtocol.org
  • Donated to the Triall Clinical Research project
  • Participated in the Authority Node Operators AMA on Reddit
  • Helped test the Factomize Daily Digest and Monthly Newsletter
  • Helped test ANO Emergency Alerts
Conclusion

We are extremely pleased to update the community on the work we do as a Factom ANO. We are a technical team building solutions for the Factom protocol, and we have much more in store for 2019. If you need assistance using one of our projects, are interested in collaborating, or just want to say hi, please reach out to us at contact@bedrocksolutions.io and join us in our Discord channel https://discord.gg/gfYahwM. Until next time!
Secured
bedrocksolutions/tfa-bot

Bedrock Solutions is pleased to announce the release of a Helm chart for The Factoid Authority's Monitoring Bot.

Motivation

Using Kubernetes for deployment of lightweight services, such as the tfa-bot, can reduce the time spent in installation, configuration, and deployment.

Installation

Note: this guide assumes the Helm package manager has already been installed, and the cluster has been properly configured to work with it. Please see https://helm.sh/docs/using_helm for more information.

Add the Bedrock Solutions Helm repository to your `helm` command line utility:

helm repo add bedrocksolutions https://helm.bedrocksolutions.io

Create a `values.yaml` file containing the URL of your Google Sheet:

# values.yaml
botUrl: https://docs.google.com/spreadsheets/d/xxxxxxxxxxxxxxxxxxxx

Install the Helm chart into your cluster:

helm install --name tfa-bot -f /path/to/values.yaml bedrocksolutions/tfa-bot

Please see the project's GitHub repository @ https://github.com/BedrockSolutions/tfa-bot for more information.
Current Update: Rate limiting added to factomd-api-proxy
Secured
#1
factomd-api-proxy

Bedrock Solutions announces the release of version 0.5.2 of its factomd API proxy. This release features rate limiting on writes.

Description

The rate limiting subsystem supports both writes-per-second (WPS) and writes-per-block (WPB) limiters.

WPS limiting establishes a maximum number of WPS that will be sent over the network. It also establishes a burst rate for writes, which will delay writes by a variable amount to spread the burst over a longer duration. The system defaults to 3 WPS with a 10 WPS burst. Rates over 10 WPS will be rejected with a 429 error.

WPB limiting establishes a write quota which resets every 10 minutes. The system defaults to 1200 writes per 10 minutes.

Links

https://github.com/BedrockSolutions/factomd-api-proxy
https://hub.docker.com/r/bedrocksolutions/factomd-api-proxy
 
Secured
#2
Great addition Jay!
You said you applied this update to the Open node network. What are the write limits you set up for it? Where does it stand relative to current usage of the open node network?
As I understand it it is only a write rate limited (wich I assume means the commit/reveal API), is there no limit on get entries or balances from the Open node network?
Thanks