[v2] add RUM event rate limit per ip per sec(elastic#1367)

* Enabled for RUM endpoints with default value 300, burst multiplier 3
* Throttle read if rate limit is hit while reading the request, deny request if limit is already hit when the request is started.
* Check rate limit in batches of 10.
* Use eviction handling for LRU cache holding the rate limiters. 
* Keep rate limiting for v1 unchanged.

partly implements elastic#1299

CHANGELOG.asciidoc

@@ -3,3 +3,283 @@ include::./changelogs/6.4.asciidoc[]
 include::./changelogs/6.3.asciidoc[]
 include::./changelogs/6.2.asciidoc[]
 include::./changelogs/6.1.asciidoc[]
+[[release-notes-head]]
+== APM Server version HEAD
+
+// These have to be under a == headline unfortunately:
+// Use these for links to issue and pulls. Note issues and pulls redirect one to
+// each other on Github, so don't worry too much on using the right prefix.
+:issue: https://github.com/elastic/apm-server/issues/
+:pull: https://github.com/elastic/apm-server/pull/
+
+https://github.com/elastic/apm-server/compare/6.4\...master[View commits]
+
+[float]
+=== Added
+
+- Provide basic server information at `/` {pull}1197[1197]
+- Add pipeline registration and pipeline usage {pull}1258[1258],{pull}1296[1296]
+- Allow sending `tags` for `spans`, that get indexed in ES {pull}1156[1156].
+- Add pipeline registration and pipeline usage {pull}1258[1258]
+- Update JSON schema spec for v2 {pull}1303[1303]
+- Make JSON schema spec distributed tracing compliant {pull}1303[1303]
+- Add required `transaction.span_count.started` to Intake v2 {pull}1351[1351]
+- Rename `transaction.span_count.dropped.total` to `transaction.span_count.dropped` on Intake API v2 {pull}1351[1351]
+- Require either `message` or `type` for `error.exception` {pull}1354[1354].
+- Require `span.parent_id`, forbid `null` for `span.trace_id`, `transaction.trace_id` {pull}1391[1391]
+- Require `error.id` and changed description to 128 random bits ID {pull}1384[1384]
+- Add rate limit handling per event {pull}1367[1367]
+
+[[release-notes-6.4]]
+== APM Server version 6.4
+
+https://github.com/elastic/apm-server/compare/6.3\...6.4[View commits]
+
+* <<release-notes-6.4.0>>
+
+[[release-notes-6.4.0]]
+=== APM Server version 6.4.0
+
+https://github.com/elastic/apm-server/compare/v6.3.2\...v6.4.0[View commits]
+
+- Change `frontend` to `rum` in config file, but still support `frontend` for backwards compatibility {pull}1155[1155].
+- Support `rum` and `client-side` endpoint for RUM for backwards compatibility {pull}1155[1155].
+- Listen on default port 8200 if unspecified {pull}886[886].
+- Update Go to 1.10.3 {pull}1054[1054].
+- Combine `apm-server.yml` and `apm-server.reference.yml` into one file {pull}958[958].
+- Add optional tracing for the server's API and event publisher {pull}816[816].
+- Read sourcemap content and fill context lines {pull}972[972].
+- Remove regexProperties validation rules {pull}1148[1148], {pull}1150[1150].
+- Add source_mapping.elasticsearch configuration option {pull}1114[1114].
+- Add /v1/metrics endpoint {pull}1000[1000] {pull}1121[1121].
+- Push onboarding doc to separate ES index {pull}1159[1159].
+- Deprecate usage of `apm-server setup` for dashboards and index-pattern {pull}1142[1142],{pull}1261[1261].
+- Disable metrics logging by default {pull}1127[1127].
+
+
+[[release-notes-6.3]]
+== APM Server version 6.3
+
+https://github.com/elastic/apm-server/compare/6.2\...6.3[View commits]
+
+* <<release-notes-6.3.2>>
+* <<release-notes-6.3.1>>
+* <<release-notes-6.3.0>>
+
+
+[[release-notes-6.3.2]]
+=== APM Server version 6.3.2
+
+https://github.com/elastic/apm-server/compare/v6.3.1\...v6.3.2[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.3.1]]
+=== APM Server version 6.3.1
+
+https://github.com/elastic/apm-server/compare/v6.3.0\...v6.3.1[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.3.0]]
+=== APM Server version 6.3.0
+
+https://github.com/elastic/apm-server/compare/v6.2.4\...v6.3.0[View commits]
+
+[float]
+==== Bug fixes
+
+- Accept charset in request's content type {pull}677[677].
+- Use type integer instead of number in JSON schemas where applicable {pull}641[641].
+- Set array item types to string in JSON schemas {pull}651[651].
+- Fix issue preventing server from being stopped {pull}704[704].
+- Limit the amount of concurrent requests being processed {pull}731[731].
+- Return proper response code for request entity too large {pull}862[862].
+- Make APM Server docker image listen on all interfaces by default https://github.com/elastic/apm-server-docker/pull/16[apm-server-dockers#16]
+
+[float]
+==== Added
+
+- Enriched data with IP and UserAgent {pull}393[393], {pull}701[701], {pull}730[730], {pull}923[923].
+- Push errors and transactions to different ES indices {pull}706[706].
+- Allow custom `error.log.level` {pull}712[712].
+- Change `concurrent_request` default from 40 to 5 {pull}731[731].
+- Change `max_unzipped_size` default from 50mb to 30mb {pull}731[731].
+- Change `read_timeout` and `write_timeout` defaults from 2s to 30s {pull}748[748], {pull}752[752].
+- Limit number of new connections to accept simultaneously {pull}751[751].
+- Push spans to separate ES index {pull}774[774].
+- Update Go to 1.9.4 {pull}786[786].
+- Listen on unix domain socket with `host=unix:/path` {pull}768[768].
+- Make timestamp optional in the intake api {pull}819[819].
+
+
+[[release-notes-6.2]]
+== APM Server version 6.2
+
+https://github.com/elastic/apm-server/compare/6.1...6.2[View commits]
+
+* <<release-notes-6.2.4>>
+* <<release-notes-6.2.3>>
+* <<release-notes-6.2.2>>
+* <<release-notes-6.2.1>>
+* <<release-notes-6.2.0>>
+
+
+[[release-notes-6.2.4]]
+=== APM Server version 6.2.4
+
+https://github.com/elastic/apm-server/compare/v6.2.3\...v6.2.4[View commits]
+
+No significant changes.
+
+[[release-notes-6.2.3]]
+=== APM Server version 6.2.3
+
+https://github.com/elastic/apm-server/compare/v6.2.2\...v6.2.3[View commits]
+
+No significant changes.
+
+[[release-notes-6.2.2]]
+=== APM Server version 6.2.2
+
+https://github.com/elastic/apm-server/compare/v6.2.1\...v6.2.2[View commits]
+
+No significant changes.
+
+[[release-notes-6.2.1]]
+=== APM Server version 6.2.1
+
+https://github.com/elastic/apm-server/compare/v6.2.0\...v6.2.1[View commits]
+
+No significant changes.
+
+[[release-notes-6.2.0]]
+=== APM Server version 6.2.0
+
+https://github.com/elastic/apm-server/compare/v6.1.4\...v6.2.0[View commits]
+
+[float]
+==== Breaking changes
+- Renaming and reverse boolean `in_app` to `library_frame` {pull}385[385].
+- Renaming `app` to `service` {pull}377[377]
+- Move `trace.transaction_id` to `transaction.id` {pull}345[345], {pull}347[347], {pull}371[371]
+- Renaming `trace` to `span` {pull}352[352].
+- Renaming and reverse boolean `exception.uncaught` to `exception.handled` {pull}434[434].
+- Move process related fields to their own namespace {pull}445[445].
+- Rename Kibana directories according to changed structure in beats framework. {pull}454[454]
+- Change config option `max_header_bytes` to `max_header_size` {pull}492[492].
+- Change config option `frontend.sourcemapping.index` to `frontend.source_mapping.index_pattern` and remove adding a '*' by default.{pull}492[492].
+- Remove untested config options from config yml files {pull}496[496]
+
+[float]
+==== Bug fixes
+- Updated systemd doc url {pull}354[354]
+- Updated readme doc urls {pull}356[356]
+- Use updated stack trace frame values for calculating error `grouping_keys` {pull}485[485]
+- Fix panic when a signal is delivered before the server is instantiated {pull}580[580]
+
+[float]
+==== Added
+- service.environment {pull}366[366]
+- Consider exception or log message for grouping key when nothing else is available {pull}435[435]
+- Add context.request.url.full {pull}436[436]
+- Report more detail on max data size error {pull}442[442]
+- Increase default 'MaxUnzippedSize' from 10mb to 50mb {pull}439[439]
+- Add transaction.id to errors {pull}437[437]
+- Support for `transaction.marks` {pull}430[430]
+- Support for uploading sourcemaps {pull}302[302].
+- Support for sourcemap mapping on incoming frontend requests {pull}381[381], {pull}462[462], {pull}502[502]
+- Support for `transaction.span_count.dropped.total` {pull}448[448].
+- Optional field `transaction.sampled` {pull}441[441]
+- Add Kibana sourcefilter for `sourcemap.sourcemap` {pull}454[454]
+- Increase default 'ConcurrentRequests' from 20 to 40 {pull}492[492]
+- Add Config option for excluding stack trace frames from `grouping_key` calculation {pull}482[482]
+- Expose expvar {pull}509[509]
+- Add `process.ppid` as optional field {pull}564[564]
+- Change `error.culprit` after successfully applying sourcemapping {pull}520[520]
+- Make `transaction.name` optional {pull}554[554]
+- Remove config files from beats. Manually add relevant config options {pull}578[578]
+- Use separate index for uploaded `source maps` {pull}582[582].
+- Store original values when applying source mapping or changing `library_frame` value {pull}647[647]
+
+
+[[release-notes-6.1]]
+== APM Server version 6.1
+
+https://github.com/elastic/apm-server/compare/6.0\...6.1[View commits]
+
+* <<release-notes-6.1.4>>
+* <<release-notes-6.1.3>>
+* <<release-notes-6.1.2>>
+* <<release-notes-6.1.1>>
+* <<release-notes-6.1.0>>
+
+
+[[release-notes-6.1.4]]
+=== APM Server version 6.1.4
+
+https://github.com/elastic/apm-server/compare/v6.1.3\...v6.1.4[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.1.3]]
+=== APM Server version 6.1.3
+
+https://github.com/elastic/apm-server/compare/v6.1.2\...v6.1.3[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.1.2]]
+=== APM Server version 6.1.2
+
+https://github.com/elastic/apm-server/compare/v6.1.1\...v6.1.2[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.1.1]]
+=== APM Server version 6.1.1
+
+https://github.com/elastic/apm-server/compare/v6.1.0\...v6.1.1[View commits]
+
+No significant changes.
+
+
+[[release-notes-6.1.0]]
+=== APM Server version 6.1.0
+
+https://github.com/elastic/apm-server/compare/v6.0.1\...v6.1.0[View commits]
+
+[float]
+==== Breaking changes
+- Allow ES template index prefix to be `apm` {pull}152[152].
+- Remove `git_ref` from Intake API and Elasticsearch output {pull}158[158].
+- Switch to Go 1.9.2
+
+[float]
+==== Bug fixes
+- Fix dashboard loading for Kibana 5x {pull}221[221].
+- Fix command for loading dashboards in docs {pull}205[205].
+- Log a warning message if secret token is set but ssl is not {pull}204[204].
+- Fix wrong content-type in response {pull}171[171].
+- Remove duplicate dashboard entries {pull}162[162].
+- Remove `context.db` from `fields.yml` for consistency, has not been indexed before {pull}159[159].
+- Update dashboard with fix for rpm graphs {pull}315[315].
+- Dashboards: Remove time from url_templates {pull}321[321].
+
+[float]
+==== Added
+- Added wildcard matching for allowed origins for frontend {pull}287[287].
+- Added rate limit per IP for frontend {pull}257[257].
+- Allow null for all optional fields {pull}253[253].
+- Make context.app.language.version optional {pull}246[246].
+- CORS support for frontend {pull}244[244].
+- Added support for frontend {pull}227[227].
+- Show transaction.result in Requests per Minute {pull}226[226].
+- Added Kibana 5.6 compatible dashboards {pull}208[208].
+- Send document to output on start of server {pull}117[117].
+- Log frontend status at startup  {pull}284[284].

_meta/beat.yml

@@ -49,9 +49,26 @@ apm-server:
     # To enable real user monitoring (RUM) support set this to true.
     #enabled: false
 
+    #-- v1 RUM endpoint
+
     # Rate limit per second and IP address for requests sent to the RUM endpoint.
     #rate_limit: 10
 
+    #-- v2 RUM endpoint
+
+    #event_rate:
+
+      # Defines the maximum amount of events allowed to be sent to the APM Server v2 RUM
+      # endpoint per ip per second. Defaults to 300.
+      #limit: 300
+
+      # An LRU cache is used to keep a rate limit per IP for the most recently seen IPs.
+      # This setting defines the number of unique IPs that can be tracked in the cache.
+      # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000.
+      #lru_size: 1000
+
+    #-- General RUM settings
+
     # Comma separated list of permitted origins for real user monitoring. 
     # User-agents will send an origin header that will be validated against this list.
     # An origin is made of a protocol scheme, host and port, without the url path.
@@ -97,6 +114,7 @@ apm-server:
       # is changed, a matching index pattern needs to be specified here.
       #index_pattern: "apm-*-sourcemap*"
 
+
   # If set to true, APM Server augments data received by the agent with the original IP of the backend server,
   # or the IP and User Agent of the real user (RUM requests). It defaults to true.
   #capture_personal_data: true

apm-server.yml

@@ -49,9 +49,26 @@ apm-server:
     # To enable real user monitoring (RUM) support set this to true.
     #enabled: false
 
+    #-- v1 RUM endpoint
+
     # Rate limit per second and IP address for requests sent to the RUM endpoint.
     #rate_limit: 10
 
+    #-- v2 RUM endpoint
+
+    #event_rate:
+
+      # Defines the maximum amount of events allowed to be sent to the APM Server v2 RUM
+      # endpoint per ip per second. Defaults to 300.
+      #limit: 300
+
+      # An LRU cache is used to keep a rate limit per IP for the most recently seen IPs.
+      # This setting defines the number of unique IPs that can be tracked in the cache.
+      # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000.
+      #lru_size: 1000
+
+    #-- General RUM settings
+
     # Comma separated list of permitted origins for real user monitoring. 
     # User-agents will send an origin header that will be validated against this list.
     # An origin is made of a protocol scheme, host and port, without the url path.
@@ -97,6 +114,7 @@ apm-server:
       # is changed, a matching index pattern needs to be specified here.
       #index_pattern: "apm-*-sourcemap*"
 
+
   # If set to true, APM Server augments data received by the agent with the original IP of the backend server,
   # or the IP and User Agent of the real user (RUM requests). It defaults to true.
   #capture_personal_data: true

beater/approved-stream-result/TestRequestIntegrationRumRateLimit.approved.json

@@ -0,0 +1,8 @@
+{
+    "accepted": 30,
+    "errors": [
+        {
+            "message": "rate limit exceeded"
+        }
+    ]
+}