ip ratelimiting when using a proxy like cloudflare

[mrcoles]

If you are using the 'ip' ratelimitnig key and a proxy like cloudflare, then it will always return the same ipaddress, which could be disastrous.

A simple cloudflare solution would be for users of this library to create their own callable for the key as such:

def get_client_ip(request):
    return request.META.get('HTTP_CF_CONNECTING_IP') or request.META['REMOTE_ADDR']

@ratelimit(key=get_client_ip, rate='10/m')
def dummy_view(request):
    # view code in here

However, I wonder if there's a more general solution for using X-FORWARDED-FOR or if that's too easily spoofed? A change in utils.py like:

def _ip(request):
    return (request.META['HTTP_X_FORWARDED_FOR'].split(',')[-1]
            if request.get('HTTP_X_FORWARDED_FOR') else request.META['REMOTE_ADDR'])

def user_or_ip(request):
    return str(request.user.pk) if request.user.is_authenticated() else _ip(request)

_SIMPLE_KEYS = {
    'ip': _ip,
    'user': lambda r: str(r.user.pk),
    'user_or_ip': user_or_ip,
}

Does anyone know what risks there could be in using x-forwarded-for?

[jsocol]

I've answered this probably half a dozen times: this is too deployment-specific to do securely in a general solution. It's too big a footgun, and ratelimit is the wrong place for it. There are reasons and suggestions here: https://django-ratelimit.readthedocs.org/en/latest/security.html#client-ip-address

[mrcoles]

Ah, my brain must have skipped right over the "Note" on the keys page. Seems reasonable enough. Thanks.

[9mido]

Not sure if this is relevant but what if you did this?

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs-Logging-visitor-IP-addresses-with-mod-cloudflare-

Typical behavior:

https://support.cloudflare.com/hc/en-us/articles/201897700-Allowing-Cloudflare-IP-addresses

[jsocol]

Hi @9mido, please see the previous comment and documentation about client IP address.