Improve rate limiting (#10860)
* Rate limit based on remote address IP, not on potential reverse proxy * Limit rate of unauthenticated API requests further * Rate-limit paging requests to one every 3 secondsmaster
parent
b08d29418c
commit
c068f90803
|
@ -58,7 +58,7 @@ class Rack::Attack
|
|||
end
|
||||
|
||||
throttle('throttle_unauthenticated_api', limit: 300, period: 5.minutes) do |req|
|
||||
req.remote_ip if req.api_request? && req.unauthenticated?
|
||||
req.remote_ip if req.api_request? && !req.authenticated?
|
||||
end
|
||||
|
||||
throttle('throttle_api_media', limit: 300, period: 5.minutes) do |req|
|
||||
|
@ -70,7 +70,7 @@ class Rack::Attack
|
|||
end
|
||||
|
||||
throttle('throttle_unauthenticated_media_proxy', limit: 30, period: 30.minutes) do |req|
|
||||
req.remote_ip if req.unauthenticated? && req.path.start_with?('/media_proxy')
|
||||
req.remote_ip if !req.authenticated? && req.path.start_with?('/media_proxy')
|
||||
end
|
||||
|
||||
throttle('throttle_api_sign_up', limit: 5, period: 30.minutes) do |req|
|
||||
|
@ -83,7 +83,7 @@ class Rack::Attack
|
|||
end
|
||||
|
||||
throttle('throttle_unauthenticated_paging', limit: 300, period: 15.minutes) do |req|
|
||||
req.remote_ip if req.paging_request? && req.unauthenticated?
|
||||
req.remote_ip if req.paging_request? && !req.authenticated?
|
||||
end
|
||||
|
||||
API_DELETE_REBLOG_REGEX = /\A\/api\/v1\/statuses\/[\d]+\/unreblog/.freeze
|
||||
|
|
Loading…
Reference in New Issue