FEATURE: introduce default application level rate limiting by IP
We have tested rate limiting with admin accounts with block rate limiting for close to 12 months now on meta.discourse.org. This has resulted in no degradation of services even to admin accounts that request a lot of info from the site. The default of 200 requests a minute and 50 per 10 seconds is very generous. It simply protects against very aggressive clients. This setting can be disabled or tweaked using: DISCOURSE_MAX_REQS_PER_IP_MODE and family. The only big downside here is in cases when a very large number of users tend to all come from a single IP. This can be the case on sites accessing Discourse from an internal network all sharing the same IP via NAT. Or a misconfigured Discourse that is unable to resolve IP addresses of users due to proxy mis-configuration.
This commit is contained in:
parent
e2ccb0c608
commit
b4bfc27b19
|
@ -212,7 +212,7 @@ max_reqs_per_ip_per_10_seconds = 50
|
||||||
max_asset_reqs_per_ip_per_10_seconds = 200
|
max_asset_reqs_per_ip_per_10_seconds = 200
|
||||||
|
|
||||||
# global rate limiter will simply warn if the limit is exceeded, can be warn+block, warn, block or none
|
# global rate limiter will simply warn if the limit is exceeded, can be warn+block, warn, block or none
|
||||||
max_reqs_per_ip_mode = none
|
max_reqs_per_ip_mode = block
|
||||||
|
|
||||||
# bypass rate limiting any IP resolved as a private IP
|
# bypass rate limiting any IP resolved as a private IP
|
||||||
max_reqs_rate_limit_on_private = false
|
max_reqs_rate_limit_on_private = false
|
||||||
|
|
Loading…
Reference in New Issue