From b4bfc27b1909e5b1affbb8a8fa9df3b59c6deea1 Mon Sep 17 00:00:00 2001 From: Sam Saffron Date: Mon, 18 Nov 2019 15:54:50 +1100 Subject: [PATCH] FEATURE: introduce default application level rate limiting by IP We have tested rate limiting with admin accounts with block rate limiting for close to 12 months now on meta.discourse.org. This has resulted in no degradation of services even to admin accounts that request a lot of info from the site. The default of 200 requests a minute and 50 per 10 seconds is very generous. It simply protects against very aggressive clients. This setting can be disabled or tweaked using: DISCOURSE_MAX_REQS_PER_IP_MODE and family. The only big downside here is in cases when a very large number of users tend to all come from a single IP. This can be the case on sites accessing Discourse from an internal network all sharing the same IP via NAT. Or a misconfigured Discourse that is unable to resolve IP addresses of users due to proxy mis-configuration. --- config/discourse_defaults.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/discourse_defaults.conf b/config/discourse_defaults.conf index 2b0bd3149b3..17146b1cac5 100644 --- a/config/discourse_defaults.conf +++ b/config/discourse_defaults.conf @@ -212,7 +212,7 @@ max_reqs_per_ip_per_10_seconds = 50 max_asset_reqs_per_ip_per_10_seconds = 200 # global rate limiter will simply warn if the limit is exceeded, can be warn+block, warn, block or none -max_reqs_per_ip_mode = none +max_reqs_per_ip_mode = block # bypass rate limiting any IP resolved as a private IP max_reqs_rate_limit_on_private = false