Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ip ratelimiting when using a proxy like cloudflare #55

Closed
mrcoles opened this issue Nov 5, 2014 · 4 comments
Closed

ip ratelimiting when using a proxy like cloudflare #55

mrcoles opened this issue Nov 5, 2014 · 4 comments

Comments

@mrcoles
Copy link

mrcoles commented Nov 5, 2014

If you are using the 'ip' ratelimitnig key and a proxy like cloudflare, then it will always return the same ipaddress, which could be disastrous.

A simple cloudflare solution would be for users of this library to create their own callable for the key as such:

def get_client_ip(request):
    return request.META.get('HTTP_CF_CONNECTING_IP') or request.META['REMOTE_ADDR']

@ratelimit(key=get_client_ip, rate='10/m')
def dummy_view(request):
    # view code in here

However, I wonder if there's a more general solution for using X-FORWARDED-FOR or if that's too easily spoofed? A change in utils.py like:

def _ip(request):
    return (request.META['HTTP_X_FORWARDED_FOR'].split(',')[-1]
            if request.get('HTTP_X_FORWARDED_FOR') else request.META['REMOTE_ADDR'])

def user_or_ip(request):
    return str(request.user.pk) if request.user.is_authenticated() else _ip(request)

_SIMPLE_KEYS = {
    'ip': _ip,
    'user': lambda r: str(r.user.pk),
    'user_or_ip': user_or_ip,
}

Does anyone know what risks there could be in using x-forwarded-for?
@jsocol
Copy link
Owner

jsocol commented Nov 5, 2014

I've answered this probably half a dozen times: this is too deployment-specific to do securely in a general solution. It's too big a footgun, and ratelimit is the wrong place for it. There are reasons and suggestions here: https://django-ratelimit.readthedocs.org/en/latest/security.html#client-ip-address

@jsocol jsocol closed this as completed Nov 5, 2014
@mrcoles
Copy link
Author

mrcoles commented Nov 5, 2014

Ah, my brain must have skipped right over the "Note" on the keys page. Seems reasonable enough. Thanks.

@mbi mbi mentioned this issue Apr 27, 2020
Open
@9mido
Copy link

9mido commented Jul 10, 2020
edited
Loading

Not sure if this is relevant but what if you did this?

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-

Typical behavior:

https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

@jsocol
Copy link
Owner

jsocol commented Jul 10, 2020

Hi @9mido, please see the previous comment and documentation about client IP address.

Repository owner locked as resolved and limited conversation to collaborators Jul 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrcoles @jsocol @9mido