Add per-IP rate limiting middleware with registration and content velocity limiting#959
Conversation
…ocity limiting Sliding-window per-IP rate limiter with livesettings configuration: - Configurable requests/window, cache size, optional ban command - Uses X-Forwarded-For for correct IP detection behind reverse proxies - ASKBOT_INTERNAL_IPS whitelist bypasses rate limiting - Per-IP registration rate limiting on signup/register endpoints - Content velocity limiting for watched users (opt-in, default off) Rate-limited requests get a _ratelimited attribute for integration with the request logging middleware.
|
Issue: on production deployments the per IP events should not be stored in per-process memory, but should be somehow shared between the replicas of the application, to insure that the counts are correct. Perhaps cache store or even the database could be used for that. An idea - limits could be applied towards per-subnet events; also subnets could be allow-listed if safe subnets are known. |
|
@sdeibel here is the final PR: #968 I've made changes on top of your PR:
What's not done: I've considered the ratelimit exemption for the admins and moderators, perhaps it could be added later. Also DNS zone files can be downloaded and examined to discover the source subnets for blocking, but some classification would be needed - perhaps with AI. |
Sliding-window per-IP rate limiter with livesettings configuration:
Rate-limited requests get a _ratelimited attribute for integration with the request logging middleware.