Block mode for @waline/vercel #792
Mister-Hope
started this conversation in
Ideas
Replies: 1 comment 11 replies
-
All request headers can be faked by user, including If you watch the server code, you'll find server just get user's ip from |
Beta Was this translation helpful? Give feedback.
11 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am trying to find out a solution with #785. And here is my possible solution:
TRACKIP
env variable and default to false.blockedIPS
in optionsX-Forwarded-For
header and the remote addr whenTRACKIP
has values, and also stores theme in a local log file. (With also the api path likecomment
visitor
)X-Forwarded-For
header or the send addr matches any of theblockedIPS
, return 403 statuscode directly.Reason
In most situations, the attackers should hold limited ips sending these request. (We are not facing large attacks like DDOS, if so , the user probably need a paid firewall).
The attacker's real ip should be one of the
X-Forwarded-For
ips or the connect ip. And when under high frequent attacks, it's easy to find his real ip. Users can block his ip by adding the nearest unchanged ip on right inX-Forwarded-For
header. That should block the attackers.More aggresively, we can also have a
SECURE
env variable, which will record all the ip inX-Forwarded-For
header and block them withIPQPS
, expect those inpermitedIPS
.@lizheming @ihackerx
Beta Was this translation helpful? Give feedback.
All reactions