use the IP address passed by reverse proxy in rate-limiter (!147) · Merge requests · The Tor Project / Web / donate-neo

anarcat requested to merge ratelimit-right-ip into main Sep 18, 2024

Previous work to fix the rate limiter were, in my opinion, incomplete because the rate limiter still uses the IP address it gets from Django, which is the REMOTE_ADDR environment set in the application environment, which is typically 127.0.0.1.

At least that's what our logs showed until I tweaked the view to show the "proper" IP address in 467c03a7 (properly pick the X-Forwarded-For header for the rate limiter, 2024-09-10). But that fix was only cosmetic: it didn't change which IP address the rate limiter acted upon which is based on the RATELIMIT_IP_META_KEY variable, which defaults to request.META['REMOTE_ADDR'].

Now we reuse our existing get_client_ip hack and pass it the right dict to get the IP address from the reverse proxy X-Forwarded-For header.

The only question remaining is whether we actually need to call get_client_ip from the RateLimiter view. The RATELIMIT_VIEW variable documentation (in docs/usage.rst) seems to hint the request object is properly modified when passed to the view:

RATELIMIT_VIEW will get two arguments, the request object (after ratelimit processing) and the exception.

... but I wouldn't assume as much, and leaving it there is probably harmless.

Closes: #128 (closed)

See also: #127 (closed), which needs testing

Edited Sep 18, 2024 by anarcat

use the IP address passed by reverse proxy in rate-limiter

Merge request reports