-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rate limiting by IPv6 block #4
Comments
Hi @divine, glad to hear that this library helps you ;) In order to rate-limit requests by IPv6 blocks (or more generally, CIDR blocks), the only solution I can come up with is to use the prefix of the IP address for rate-limiting. For example, for a /64 block, we can use the first 64 bits of the IP as the actual key, by applying a converter
While the syntax becomes a little bit more complicated, I think the format of Any suggestions? |
Hello, Thank you so much for your kind response. I do like the IPv6 address and trying to use it whenever possible but without rate-limiting, people are trying to abuse the API that we're providing for free. This looks fine but what about IPv4 addresses? I mean Also, this module actually needs a configuration of the white list of trusted proxies, otherwise, this block of code allows bypassing any limitation: caddy-ext/ratelimit/ratelimit.go Lines 193 to 195 in dff396f
You get an idea, right? Anyone could just provide a fake Thanks! |
If
Yes, this is the case.
I agree that this is a feasible solution, but I'm a little concerned about the increased responsibility of |
This is indeed fine but what will happen if I wanted
Looks good, does that mean you'll remove that line of code that detects IP addresses from Thanks! |
If
I find that the builtin placeholder {http.request.remote.host} is just After some more thought, I also think
|
Hello, Sorry for the late response.
Actually, no and let me explain why. I'll just be using only one global prefix as a rate limiter : After thinking a little bit, maybe it will work if I add all Objections I had it was what if I want to rate-limit global /64 prefix for IPv6 and global /24 prefix for IPv4 what will happen? I'm seeing a lot of proxies from the same /24 network prefix as well, they look same and it's definitely bots that might create issues later (an example): Thanks! |
Never mind ;)
Suppose that we already have two different keys, say, as below:
I'm not sure how to leverage these keys to apply rate-limiting by using only one |
Hello, Using different keys will be fine as well, I just wanted to say that one key wasn't enough, otherwise looks good :) Thank you! |
By "using different keys will be fine", do you mean that you will use two It will be very helpful if you can share me the complete Caddyfile configuration in your mind :) Thanks! |
If I understand your case correctly, I think the following configuration should work:
This is the result I got on my Mac: # IPv4 case (1r/m)
$ curl -w "%{http_code}" 'http://localhost/foo'
200
$ curl -w "%{http_code}" 'http://localhost/foo'
429
# IPv6 case (2r/m)
$ curl -g -6 -w "%{http_code}" 'http://[::1]/foo'
200
$ curl -g -6 -w "%{http_code}" 'http://[::1]/foo'
200
$ curl -g -6 -w "%{http_code}" 'http://[::1]/foo'
429 And the corresponding DEBUG logs (for the above two 429s):
|
Hello, I just wanted to say thank you, it was quite fast with adding that feature. I have currently deployed with your example configuration and it works like a charm. The only question I have what if I want to white list some IPv4 adress block like 192.168.1.0/24 (no limits at all)
Thanks! |
Caddy supports a not matcher, you can try this configuration for IPv4 case:
|
Hello, I do really appreciate your help, this works like a charm! Enabled IPv6 back and deployed to production for a few million of users. Thank you so much! |
Hello, Sorry for reopening this again but looks like somebody was able to bypass
So I don't think that remote host is what I should be using as the number of connections is not rate limited:
741 & 1312 are the total number of connections. My caddy config:
After that I've modified rate limit plugin it and disabled using "X-Forwarded-For" here: caddy-ext/ratelimit/ratelimit.go Line 245 in ec25422
and now everything looks quite good.
Thanks! |
Hello, I think these plugin names are confusing here ;) In our discussion there are two types of plugins in Caddy:
The evaluation of caddy-ext/ratelimit/ratelimit.go Lines 242 to 243 in ec25422
As you can see, the second parameter caddy-ext/ratelimit/ratelimit.go Lines 267 to 271 in ec25422
In conclusion, I think |
Hello, Thank you so much for your kind reply and explanation! Understood now but I think somehow somebody was bypassing * Thanks! |
In theory, your modified version of
Here are some questions I think we need to figure out:
|
Hello, Sorry about the late reply but everything has been working like a charm! Well the issue I had wasn't related to this plugin. I'll report if any issues will arise. Thank you! |
Glad to hear that! Feel free to open new issues if needed :) |
Hello,
First of all, thank you for a great library that helps rate-limiting the number of requests.
Secondly, I'm having an issue with IPv6 addresses. As you might know that a simple /64 block assigned to customer contains millions of IP addresses and simple
rate_limit * {remote.ip} 1r/m
just doesn't work as that customer could just use another IPv6 address from his own block.Do you have any suggestions or maybe some kind of a feature might be implemented to solve rate-limiting for the IPv6 by blocks as well?
Thanks!
The text was updated successfully, but these errors were encountered: