New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[limiter] Rate limiting does not work #1237
Comments
for vis: @dalf @return42 @tiekoetter |
Tested on my instance : IPv4:
IPv6:
|
|
"is going to get not blocked again." .. I can't reproduce this behaviour .. in my tests, the sliding window works and blocks the following request .. @paul, can you please verify your test. |
well yeah can you try with my instance? https://paulgo.io it happens there for me like this... (Tho I did not update my instance for over 2 weeks => so searxng container and redis is running for over 2 weeks now) |
About nginx -- from https://nginx.org/en/docs/http/ngx_http_proxy_module.html#variables
Does it mean the client can overwrite “X-Forwarded-For” ? |
I tested your instance and for me it works like @tiekoetter described "Refresh about once a second after getting blocked initially -> 429" .. what I mean; the sliding window works and blocks the following requests .. the limiter itself is IMO not buggy. The issue might be that the limiter identifies the request origin by the entire string of: searxng/searx/plugins/limiter.py Line 42 in de0c4d7
If the client set a “X-Forwarded-For” and change the value with each request, the entire string changes by each request. |
I think it should be handled by web server like nginx, not backend application like searxng. For example, using It should be the web server's (or reverse proxy's) responsibility that the |
That is absolutely true .. but what when the proxy in front of the app is just one proxy in a chain of proxies .. at its best the first incoming HTTP server should fix (reset) the searxng/utils/templates/etc/nginx/default.apps-available/searxng.conf:filtron Lines 8 to 9 in ea0cddb
We (the developer) do not know how many proxies in front of the app so I thought it might be better we add a configuration option to select what position in the |
Why not use If there is a chain of proxies, only the first incoming one needs to set |
Thats true .. but what if the SearXNG admin does not have the permissions to modify the setup of the first incoming proxy? ..
BTW we have the same issue in the self-info plugin, where we select the first item (#1237 (comment)): searxng/searx/plugins/self_info.py Lines 37 to 40 in ea0cddb
|
The setup of the proxy must pass a correct I don't know what we can do more .. I think this issue can now be closed (if not ask to reopen: |
Version of SearXNG, commit number if you are using on master branch and stipulate if you forked SearXNG
How did you install SearXNG?
Using the scripts as well as with docker.
What happened?
The limiter plugin does not rate limit requests and uses the
X-Forwarded-For
header which could be easily set by a client request.How To Reproduce
Make 15
/search
requests in 20sec to trigger rate limiting.Make another
search
request, which is going to get blocked with a HTTP 429 response.Make another
/search
request which is going to get not blocked again.Expected behavior
The IP should get blocked for a specific amount of time with a timeout value for example. So a offending host could get blocked for like 2 hours for example.
Screenshots & Logs
Additional context
Another problem is that the IP is read from a header. In a improper setup the IP could maybe not be in that header or a client could abuse this and set the header themselves. The IP should be gotten from a trusted source... (Maube the request lib has something to get the IP?)
The text was updated successfully, but these errors were encountered: