Managing IP request rate limits in Discourse

system · October 14, 2025, 8:55pm

Discourse implements global per-IP rate limits to protect sites from excessive traffic and abuse. However, there are legitimate scenarios where you need to allowlist specific IPs to bypass these rate limits. This guide explains how to configure exceptions for rate limiting on self-hosted Discourse installations.

Adding IP addresses to the allowlist

When you need to increase global per-IP rate limits for specific IPs or IP ranges, you’ll need to modify your container configuration file (app.yml) by adding the DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS environment variable.

Warning: Remember that even though the variable says “IP” it really means “bucket”, so could be an IP, a user, or something else if a new classification type is added by a plugin

Adding a single IP address

To add a single IP address to your allowlist:

DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS: 192.168.1.100

This will exempt the IP address 192.168.1.100 from the standard rate limiting rules.

Adding multiple IP addresses or CIDR ranges

For multiple IPs or IP ranges using CIDR notation, use the multi-line format with the >- YAML syntax:

DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS: >-
  10.0.0.0/24
  172.16.10.0/16
  192.168.1.50
  2001:db8:c0:ffee::/64

This configuration exempts:

the entire 10.0.0.0/24 network (256 IP addresses)
the entire 172.16.10.0/16 network (65,536 IP addresses)
the single IP address 192.168.1.50
the entire 2001:db8:c0:ffee::/64 network (IPv6)

Ensure proper YAML formatting, particularly when using the multi-line syntax with >-

Rebuild

After modifying the container configuration, you’ll need to rebuild the container for changes to take effect:

cd /var/discourse
./launcher rebuild app

Security considerations

Be cautious when adding IP addresses to the allowlist. Each exempted IP or range bypasses Discourse’s built-in protection against abuse and excessive traffic.

Best practices:

Only allowlist IPs that have a legitimate business need (e.g., monitoring services, API integrations, trusted partners)
Use the most specific IP ranges possible rather than large networks
Regularly review your allowlist and remove IPs that no longer require exemption

Remember: an overly permissive allowlist can expose your site to potential abuse or denial-of-service scenarios.

Troubleshooting

If you’re still experiencing rate limit errors despite configuring exceptions:

verify the correct IP addresses are being used in your configuration
check that the container was properly rebuilt after the configuration change
examine the Discourse logs for rate limit messages related to the IPs in question
if you are using a proxy/load balancer, ensure that is correctly forwarding the original client IP

Topic		Replies	Views
Whitelist Single IP for Rate Limiting Support	1	382	September 13, 2024
How-to disable or tune rate limiting by ip address? Support	3	1128	February 24, 2023
Rate limit errors although IP is whitelisted Installation	3	1182	November 10, 2022
Available settings for global rate limits and throttling Self-Hosting reference	3	22514	January 24, 2025
Is there a limit of API requests? Support	2	1725	February 24, 2018