Merge branch 'reenable-rate-limit-and-remote-ip' into 'develop'
Re-enable rate limiter and enable remote ip See merge request pleroma/pleroma!2164
This commit is contained in:
commit
774cba84f5
4 changed files with 39 additions and 15 deletions
|
@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- **Breaking:** Pleroma won't start if it detects unapplied migrations
|
- **Breaking:** Pleroma won't start if it detects unapplied migrations
|
||||||
- **Breaking:** attachments are removed along with statuses. Does not affect duplicate files and attachments without status.
|
- **Breaking:** attachments are removed along with statuses. Does not affect duplicate files and attachments without status.
|
||||||
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
|
- **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
|
||||||
|
- **Breaking:** `Pleroma.Plugs.RemoteIp` and `:rate_limiter` enabled by default. Please ensure your reverse proxy forwards the real IP!
|
||||||
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
|
- **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
|
||||||
- **Breaking:** OAuth: defaulted `[:auth, :enforce_oauth_admin_scope_usage]` setting to `true` which demands `admin` OAuth scope to perform admin actions (in addition to `is_admin` flag on User); make sure to use bundled or newer versions of AdminFE & PleromaFE to access admin / moderator features.
|
- **Breaking:** OAuth: defaulted `[:auth, :enforce_oauth_admin_scope_usage]` setting to `true` which demands `admin` OAuth scope to perform admin actions (in addition to `is_admin` flag on User); make sure to use bundled or newer versions of AdminFE & PleromaFE to access admin / moderator features.
|
||||||
- **Breaking:** Dynamic configuration has been rearchitected. The `:pleroma, :instance, dynamic_configuration` setting has been replaced with `config :pleroma, configurable_from_database`. Please backup your configuration to a file and run the migration task to ensure consistency with the new schema.
|
- **Breaking:** Dynamic configuration has been rearchitected. The `:pleroma, :instance, dynamic_configuration` setting has been replaced with `config :pleroma, configurable_from_database`. Please backup your configuration to a file and run the migration task to ensure consistency with the new schema.
|
||||||
|
|
|
@ -596,11 +596,21 @@
|
||||||
config :http_signatures,
|
config :http_signatures,
|
||||||
adapter: Pleroma.Signature
|
adapter: Pleroma.Signature
|
||||||
|
|
||||||
config :pleroma, :rate_limit, authentication: {60_000, 15}
|
config :pleroma, :rate_limit,
|
||||||
|
authentication: {60_000, 15},
|
||||||
|
search: [{1000, 10}, {1000, 30}],
|
||||||
|
app_account_creation: {1_800_000, 25},
|
||||||
|
relations_actions: {10_000, 10},
|
||||||
|
relation_id_action: {60_000, 2},
|
||||||
|
statuses_actions: {10_000, 15},
|
||||||
|
status_id_action: {60_000, 3},
|
||||||
|
password_reset: {1_800_000, 5},
|
||||||
|
account_confirmation_resend: {8_640_000, 5},
|
||||||
|
ap_routes: {60_000, 15}
|
||||||
|
|
||||||
config :pleroma, Pleroma.ActivityExpiration, enabled: true
|
config :pleroma, Pleroma.ActivityExpiration, enabled: true
|
||||||
|
|
||||||
config :pleroma, Pleroma.Plugs.RemoteIp, enabled: false
|
config :pleroma, Pleroma.Plugs.RemoteIp, enabled: true
|
||||||
|
|
||||||
config :pleroma, :static_fe, enabled: false
|
config :pleroma, :static_fe, enabled: false
|
||||||
|
|
||||||
|
|
|
@ -308,16 +308,15 @@ This will make Pleroma listen on `127.0.0.1` port `8080` and generate urls start
|
||||||
Available options:
|
Available options:
|
||||||
|
|
||||||
* `enabled` - Enable/disable the plug. Defaults to `false`.
|
* `enabled` - Enable/disable the plug. Defaults to `false`.
|
||||||
* `headers` - A list of strings naming the `req_headers` to use when deriving the `remote_ip`. Order does not matter. Defaults to `~w[forwarded x-forwarded-for x-client-ip x-real-ip]`.
|
* `headers` - A list of strings naming the `req_headers` to use when deriving the `remote_ip`. Order does not matter. Defaults to `["x-forwarded-for"]`.
|
||||||
* `proxies` - A list of strings in [CIDR](https://en.wikipedia.org/wiki/CIDR) notation specifying the IPs of known proxies. Defaults to `[]`.
|
* `proxies` - A list of strings in [CIDR](https://en.wikipedia.org/wiki/CIDR) notation specifying the IPs of known proxies. Defaults to `[]`.
|
||||||
* `reserved` - Defaults to [localhost](https://en.wikipedia.org/wiki/Localhost) and [private network](https://en.wikipedia.org/wiki/Private_network).
|
* `reserved` - Defaults to [localhost](https://en.wikipedia.org/wiki/Localhost) and [private network](https://en.wikipedia.org/wiki/Private_network).
|
||||||
|
|
||||||
|
|
||||||
### :rate_limit
|
### :rate_limit
|
||||||
|
|
||||||
This is an advanced feature and disabled by default.
|
!!! note
|
||||||
|
If your instance is behind a reverse proxy ensure [`Pleroma.Plugs.RemoteIp`](#pleroma-plugs-remoteip) is enabled (it is enabled by default).
|
||||||
If your instance is behind a reverse proxy you must enable and configure [`Pleroma.Plugs.RemoteIp`](#pleroma-plugs-remoteip).
|
|
||||||
|
|
||||||
A keyword list of rate limiters where a key is a limiter name and value is the limiter configuration. The basic configuration is a tuple where:
|
A keyword list of rate limiters where a key is a limiter name and value is the limiter configuration. The basic configuration is a tuple where:
|
||||||
|
|
||||||
|
@ -326,14 +325,31 @@ A keyword list of rate limiters where a key is a limiter name and value is the l
|
||||||
|
|
||||||
It is also possible to have different limits for unauthenticated and authenticated users: the keyword value must be a list of two tuples where the first one is a config for unauthenticated users and the second one is for authenticated.
|
It is also possible to have different limits for unauthenticated and authenticated users: the keyword value must be a list of two tuples where the first one is a config for unauthenticated users and the second one is for authenticated.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```elixir
|
||||||
|
config :pleroma, :rate_limit,
|
||||||
|
authentication: {60_000, 15},
|
||||||
|
search: [{1000, 10}, {1000, 30}]
|
||||||
|
```
|
||||||
|
|
||||||
|
Means that:
|
||||||
|
|
||||||
|
1. In 60 seconds, 15 authentication attempts can be performed from the same IP address.
|
||||||
|
2. In 1 second, 10 search requests can be performed from the same IP adress by unauthenticated users, while authenticated users can perform 30 search requests per second.
|
||||||
|
|
||||||
Supported rate limiters:
|
Supported rate limiters:
|
||||||
|
|
||||||
* `:search` for the search requests (account & status search etc.)
|
* `:search` - Account/Status search.
|
||||||
* `:app_account_creation` for registering user accounts from the same IP address
|
* `:app_account_creation` - Account registration from the API.
|
||||||
* `:relations_actions` for actions on relations with all users (follow, unfollow)
|
* `:relations_actions` - Following/Unfollowing in general.
|
||||||
* `:relation_id_action` for actions on relation with a specific user (follow, unfollow)
|
* `:relation_id_action` - Following/Unfollowing for a specific user.
|
||||||
* `:statuses_actions` for create / delete / fav / unfav / reblog / unreblog actions on any statuses
|
* `:statuses_actions` - Status actions such as: (un)repeating, (un)favouriting, creating, deleting.
|
||||||
* `:status_id_action` for fav / unfav or reblog / unreblog actions on the same status by the same user
|
* `:status_id_action` - (un)Repeating/(un)Favouriting a particular status.
|
||||||
|
* `:authentication` - Authentication actions, i.e getting an OAuth token.
|
||||||
|
* `:password_reset` - Requesting password reset emails.
|
||||||
|
* `:account_confirmation_resend` - Requesting resending account confirmation emails.
|
||||||
|
* `:ap_routes` - Requesting statuses via ActivityPub.
|
||||||
|
|
||||||
### :web_cache_ttl
|
### :web_cache_ttl
|
||||||
|
|
||||||
|
|
|
@ -10,10 +10,7 @@ defmodule Pleroma.Plugs.RemoteIp do
|
||||||
@behaviour Plug
|
@behaviour Plug
|
||||||
|
|
||||||
@headers ~w[
|
@headers ~w[
|
||||||
forwarded
|
|
||||||
x-forwarded-for
|
x-forwarded-for
|
||||||
x-client-ip
|
|
||||||
x-real-ip
|
|
||||||
]
|
]
|
||||||
|
|
||||||
# https://en.wikipedia.org/wiki/Localhost
|
# https://en.wikipedia.org/wiki/Localhost
|
||||||
|
|
Loading…
Reference in a new issue