New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ip ratelimiting when using a proxy like cloudflare #55

Closed
mrcoles opened this Issue Nov 5, 2014 · 2 comments

Comments

Projects
None yet
2 participants
@mrcoles

mrcoles commented Nov 5, 2014

If you are using the 'ip' ratelimitnig key and a proxy like cloudflare, then it will always return the same ipaddress, which could be disastrous.

A simple cloudflare solution would be for users of this library to create their own callable for the key as such:

def get_client_ip(request):
    return request.META.get('HTTP_CF_CONNECTING_IP') or request.META['REMOTE_ADDR']

@ratelimit(key=get_client_ip, rate='10/m')
def dummy_view(request):
    # view code in here

However, I wonder if there's a more general solution for using X-FORWARDED-FOR or if that's too easily spoofed? A change in utils.py like:

def _ip(request):
    return (request.META['HTTP_X_FORWARDED_FOR'].split(',')[-1]
            if request.get('HTTP_X_FORWARDED_FOR') else request.META['REMOTE_ADDR'])

def user_or_ip(request):
    return str(request.user.pk) if request.user.is_authenticated() else _ip(request)

_SIMPLE_KEYS = {
    'ip': _ip,
    'user': lambda r: str(r.user.pk),
    'user_or_ip': user_or_ip,
}

Does anyone know what risks there could be in using x-forwarded-for?

@jsocol

This comment has been minimized.

Owner

jsocol commented Nov 5, 2014

I've answered this probably half a dozen times: this is too deployment-specific to do securely in a general solution. It's too big a footgun, and ratelimit is the wrong place for it. There are reasons and suggestions here: https://django-ratelimit.readthedocs.org/en/latest/security.html#client-ip-address

@jsocol jsocol closed this Nov 5, 2014

@mrcoles

This comment has been minimized.

mrcoles commented Nov 5, 2014

Ah, my brain must have skipped right over the "Note" on the keys page. Seems reasonable enough. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment