New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ip ratelimiting when using a proxy like cloudflare #55

mrcoles opened this Issue Nov 5, 2014 · 2 comments


None yet
2 participants

mrcoles commented Nov 5, 2014

If you are using the 'ip' ratelimitnig key and a proxy like cloudflare, then it will always return the same ipaddress, which could be disastrous.

A simple cloudflare solution would be for users of this library to create their own callable for the key as such:

def get_client_ip(request):
    return request.META.get('HTTP_CF_CONNECTING_IP') or request.META['REMOTE_ADDR']

@ratelimit(key=get_client_ip, rate='10/m')
def dummy_view(request):
    # view code in here

However, I wonder if there's a more general solution for using X-FORWARDED-FOR or if that's too easily spoofed? A change in like:

def _ip(request):
    return (request.META['HTTP_X_FORWARDED_FOR'].split(',')[-1]
            if request.get('HTTP_X_FORWARDED_FOR') else request.META['REMOTE_ADDR'])

def user_or_ip(request):
    return str( if request.user.is_authenticated() else _ip(request)

    'ip': _ip,
    'user': lambda r: str(,
    'user_or_ip': user_or_ip,

Does anyone know what risks there could be in using x-forwarded-for?


This comment has been minimized.


jsocol commented Nov 5, 2014

I've answered this probably half a dozen times: this is too deployment-specific to do securely in a general solution. It's too big a footgun, and ratelimit is the wrong place for it. There are reasons and suggestions here:

@jsocol jsocol closed this Nov 5, 2014


This comment has been minimized.

mrcoles commented Nov 5, 2014

Ah, my brain must have skipped right over the "Note" on the keys page. Seems reasonable enough. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment