Rate Limit by remote ipv4 or other possibilities possible?

[tarik56]

Hello,

I have a question regarding the requester identification method.

As seen in the Docs and examples, the Limiter class uses the "get_remote_address" function as a default identification resolver.
When the service runs behind an nginx or other proxy it will always return 127.0.0.1 instead of the forwarded ip address.

I guess we would have to write our own function to determine unique requester identification?

What would be the best approach to consider ip address and other request properties?

It could be a that in a building several users use the rest api with the same ip address.

What identification method did you guys use for that?

[alisaifee]

The extension in fact does not have a "default" key_func for resolving the identity of the request since as you noted the simple request.remote_addr is too naive for actual production use.

If deploying the application behind a proxy there is a recipe here that shows you can configure your application and still use the utility get_remote_address function.

I would however recommend you implement your own key_func to avoid any surprises and be explicit.

[alisaifee]

Regarding multiple users behind the same IP address, perhaps implementing some kind of fingerprinting which you can access from the headers which can then be used in your key_func implementation could work?

[tarik56]

Thank you for your reply. Yes I was thinking about some kind of properties I can use from the headers to generate a fingerprint.
I will look into it and see what I can use best for uniquely identifying a device.

Some sort of combination with ip and fingerprint would be the best option when the attacker tries to dynamically change his headers for each request.