use the IP address passed by reverse proxy in rate-limiter (!147) · Merge requests · The Tor Project / Web / donate-neo

Previous work to fix the rate limiter were, in my opinion, incomplete because the rate limiter still uses the IP address it gets from Django, which is the REMOTE_ADDR environment set in the application environment, which is typically 127.0.0.1.

At least that's what our logs showed until I tweaked the view to show the "proper" IP address in 467c03a7 (properly pick the X-Forwarded-For header for the rate limiter, 2024-09-10). But that fix was only cosmetic: it didn't change which IP address the rate limiter acted upon which is based on the RATELIMIT_IP_META_KEY variable, which defaults to request.META['REMOTE_ADDR'].

Now we reuse our existing get_client_ip hack and pass it the right dict to get the IP address from the reverse proxy X-Forwarded-For header.

The only question remaining is whether we actually need to call get_client_ip from the RateLimiter view. The RATELIMIT_VIEW variable documentation (in docs/usage.rst) seems to hint the request object is properly modified when passed to the view:

RATELIMIT_VIEW will get two arguments, the request object (after ratelimit processing) and the exception.

... but I wouldn't assume as much, and leaving it there is probably harmless.

Closes: #128 (closed)

See also: #127 (closed), which needs testing

Edited Sep 18, 2024 by anarcat

use the IP address passed by reverse proxy in rate-limiter

Merge request reports