Skip to content

Add per-IP rate limiting middleware with registration and content velocity limiting#959

Merged
evgenyfadeev merged 1 commit into
ASKBOT:masterfrom
sdeibel:pr/01-rate-limiting
May 22, 2026
Merged

Add per-IP rate limiting middleware with registration and content velocity limiting#959
evgenyfadeev merged 1 commit into
ASKBOT:masterfrom
sdeibel:pr/01-rate-limiting

Conversation

@sdeibel

@sdeibel sdeibel commented Apr 9, 2026

Copy link
Copy Markdown

Sliding-window per-IP rate limiter with livesettings configuration:

  • Configurable requests/window, cache size, optional ban command
  • Uses X-Forwarded-For for correct IP detection behind reverse proxies
  • ASKBOT_INTERNAL_IPS whitelist bypasses rate limiting
  • Per-IP registration rate limiting on signup/register endpoints
  • Content velocity limiting for watched users (opt-in, default off)

Rate-limited requests get a _ratelimited attribute for integration with the request logging middleware.

…ocity limiting

Sliding-window per-IP rate limiter with livesettings configuration:
- Configurable requests/window, cache size, optional ban command
- Uses X-Forwarded-For for correct IP detection behind reverse proxies
- ASKBOT_INTERNAL_IPS whitelist bypasses rate limiting
- Per-IP registration rate limiting on signup/register endpoints
- Content velocity limiting for watched users (opt-in, default off)

Rate-limited requests get a _ratelimited attribute for integration
with the request logging middleware.
@evgenyfadeev

evgenyfadeev commented Apr 13, 2026

Copy link
Copy Markdown
Member

Issue: on production deployments the per IP events should not be stored in per-process memory, but should be somehow shared between the replicas of the application, to insure that the counts are correct. Perhaps cache store or even the database could be used for that.

An idea - limits could be applied towards per-subnet events; also subnets could be allow-listed if safe subnets are known.

@evgenyfadeev

evgenyfadeev commented May 22, 2026

Copy link
Copy Markdown
Member

@sdeibel here is the final PR: #968

I've made changes on top of your PR:

  • use django-ratelimit app as the basis for the rate limiting - supports per subnet blocking
  • a setting to choose the width of the subnet rate-limiting buckets /32,/24,/16
  • subnet allowlists - exempt certain networks from the limits
  • improved ratelimited UX: ajax ratelimits trigger a banner warning, registration ratelimits show as form errors
  • fixed the window size to the defaults that you suggested - that reduces the number of settings.
  • optional high-rep bypass from the posting rate limits
  • supports ipv4 and ipv6
  • settings url is exempted from the ate-limits to avoid locking out the admins
  • also exempted is the i18n dictionary route - it is key for the JS functionalities.

What's not done:

I've considered the ratelimit exemption for the admins and moderators, perhaps it could be added later.
Also, perhaps high rep users may be exempted from the rate limits.
It's a bit dangerous because the admins can set the limits that are too low and not notice - so did not do that for now.
Although the allowlists carry the same danger.

Also DNS zone files can be downloaded and examined to discover the source subnets for blocking, but some classification would be needed - perhaps with AI.

@evgenyfadeev evgenyfadeev merged commit 96477e8 into ASKBOT:master May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants