New IP Limit Method

Co-Authored-By: brekotis <93345790+brekotis@users.noreply.github.com>

src/config/defaults.rs

@@ -12,6 +12,7 @@ const DEFAULT_ME_SINGLE_ENDPOINT_SHADOW_WRITERS: u8 = 2;
 const DEFAULT_ME_ADAPTIVE_FLOOR_IDLE_SECS: u64 = 90;
 const DEFAULT_ME_ADAPTIVE_FLOOR_MIN_WRITERS_SINGLE_ENDPOINT: u8 = 1;
 const DEFAULT_ME_ADAPTIVE_FLOOR_RECOVER_GRACE_SECS: u64 = 180;
+const DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS: u64 = 30;
 const DEFAULT_UPSTREAM_CONNECT_RETRY_ATTEMPTS: u32 = 2;
 const DEFAULT_UPSTREAM_UNHEALTHY_FAIL_THRESHOLD: u32 = 5;
 const DEFAULT_LISTEN_ADDR_IPV6: &str = "::";
@@ -464,6 +465,10 @@ pub(crate) fn default_access_users() -> HashMap<String, String> {
     )])
 }
 
+pub(crate) fn default_user_max_unique_ips_window_secs() -> u64 {
+    DEFAULT_USER_MAX_UNIQUE_IPS_WINDOW_SECS
+}
+
 // Custom deserializer helpers
 
 #[derive(Deserialize)]

src/config/hot_reload.rs

@@ -438,6 +438,16 @@ fn log_changes(
             new_hot.access.user_max_unique_ips.len()
         );
     }
+    if old_hot.access.user_max_unique_ips_mode != new_hot.access.user_max_unique_ips_mode
+        || old_hot.access.user_max_unique_ips_window_secs
+            != new_hot.access.user_max_unique_ips_window_secs
+    {
+        info!(
+            "config reload: user_max_unique_ips policy mode={:?} window={}s",
+            new_hot.access.user_max_unique_ips_mode,
+            new_hot.access.user_max_unique_ips_window_secs
+        );
+    }
 }
 
 /// Load config, validate, diff against current, and broadcast if changed.

src/config/load.rs

@@ -257,6 +257,12 @@ impl ProxyConfig {
             ));
         }
 
+        if config.access.user_max_unique_ips_window_secs == 0 {
+            return Err(ProxyError::Config(
+                "access.user_max_unique_ips_window_secs must be > 0".to_string(),
+            ));
+        }
+
         if config.general.me_reinit_every_secs == 0 {
             return Err(ProxyError::Config(
                 "general.me_reinit_every_secs must be > 0".to_string(),
@@ -728,6 +734,14 @@ mod tests {
             default_api_minimal_runtime_cache_ttl_ms()
         );
         assert_eq!(cfg.access.users, default_access_users());
+        assert_eq!(
+            cfg.access.user_max_unique_ips_mode,
+            UserMaxUniqueIpsMode::default()
+        );
+        assert_eq!(
+            cfg.access.user_max_unique_ips_window_secs,
+            default_user_max_unique_ips_window_secs()
+        );
     }
 
     #[test]

src/config/types.rs

@@ -183,6 +183,19 @@ impl MeFloorMode {
     }
 }
 
+/// Per-user unique source IP limit mode.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum UserMaxUniqueIpsMode {
+    /// Count only currently active source IPs.
+    #[default]
+    ActiveWindow,
+    /// Count source IPs seen within the recent time window.
+    TimeWindow,
+    /// Enforce both active and recent-window limits at the same time.
+    Combined,
+}
+
 /// Telemetry controls for hot-path counters and ME diagnostics.
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
 pub struct TelemetryConfig {
@@ -1045,6 +1058,12 @@ pub struct AccessConfig {
     #[serde(default)]
     pub user_max_unique_ips: HashMap<String, usize>,
 
+    #[serde(default)]
+    pub user_max_unique_ips_mode: UserMaxUniqueIpsMode,
+
+    #[serde(default = "default_user_max_unique_ips_window_secs")]
+    pub user_max_unique_ips_window_secs: u64,
+
     #[serde(default = "default_replay_check_len")]
     pub replay_check_len: usize,
 
@@ -1064,6 +1083,8 @@ impl Default for AccessConfig {
             user_expirations: HashMap::new(),
             user_data_quota: HashMap::new(),
             user_max_unique_ips: HashMap::new(),
+            user_max_unique_ips_mode: UserMaxUniqueIpsMode::default(),
+            user_max_unique_ips_window_secs: default_user_max_unique_ips_window_secs(),
             replay_check_len: default_replay_check_len(),
             replay_window_secs: default_replay_window_secs(),
             ignore_time_skew: false,