Limit client side requests? #473
-
|
Hello 👋 I would like to ask whether it's possible to apply any kind of rate limiting (or protection) on publicly exposed .pmtiles via maplibre: https://github.com/protomaps/PMTiles/blob/main/js/examples/maplibre.html Adding a server between client and the S3-compatible bucket, e.g. serving the tiles using Martin (https://github.com/maplibre/martin) would be an option, but serving them directly from S3 would result in a more maintenance free solution. Would it be possible to restrict certain users from hammering with GET requests the .pmtiles file? Any ideas would be highly appreciated! Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
What could also probably prevent hammering is caching. Is tile caching supported on maplibre url pointing to the remote (s3-compatible bucket) .pmtiles file, or should we serve tiles in ZXY format using a tile server like Martin? |
Beta Was this translation helpful? Give feedback.
-
|
How do you classify rate limiting a client, is it to mitigate bots or should it also affect a human scrolling the map really fast? tile caching in the browser is only supported on chrome on non-windows and safari for decoding pmtiles in the browser. using go-pmtiles serve or Martin you could cache the tiles in a CDN but that isn't really rate limiting. |
Beta Was this translation helpful? Give feedback.
-
|
Hello @bdon, Thanks for your response! Since making a .pmtiles file publicly available on a bucket and exposing this url directly on the client can result in unlimited requests ($$$), the main factor of this problem would be bots, or even humans who abuse the api (behave like bots). Tile caching on a CDN is definitely one approach to not get impacted by the unlimited requests (on the same tiles though). Maybe a thin node.js layer given an ZXY endpoint would do the trick, for auth and rate limiting purposes, instead of exposing the S3 url to the client directly. I was also wondering, is tile caching supported for webview packages, like this one? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
-
|
The issue of potentially unlimited egress fees due to bots isn't unique to PMTiles, it can happen with video files, GeoJSON files or any kind of static asset on storage. So any solution isn't specific to PMTiles either, there are hosted solutions like AWS Web Application Firewall, or you can use Cloudflare or a unmetered bandwidth server like from OVH. If the webview framework uses MapLibre GL JS and you are using addProtocol to decide tiles on the client, it should cache according to TTL on the client if it's Safari or non-windows chrome. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @bdon ! 🙏 |
Beta Was this translation helpful? Give feedback.
The issue of potentially unlimited egress fees due to bots isn't unique to PMTiles, it can happen with video files, GeoJSON files or any kind of static asset on storage. So any solution isn't specific to PMTiles either, there are hosted solutions like AWS Web Application Firewall, or you can use Cloudflare or a unmetered bandwidth server like from OVH.
If the webview framework uses MapLibre GL JS and you are using addProtocol to decide tiles on the client, it should cache according to TTL on the client if it's Safari or non-windows chrome.