Discourse implements global per-IP rate limits to protect sites from excessive traffic and abuse. However, there are legitimate scenarios where you need to allowlist specific IPs to bypass these rate limits. This guide explains how to configure exceptions for rate limiting on self-hosted Discourse installations.
Adding IP addresses to the allowlist
When you need to increase global per-IP rate limits for specific IPs or IP ranges, you’ll need to modify your container configuration file (app.yml) by adding the DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS environment variable.
Warning: Remember that even though the variable says “IP” it really means “bucket”, so could be an IP, a user, or something else if a new classification type is added by a plugin
Adding a single IP address
To add a single IP address to your allowlist:
DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS: 192.168.1.100
This will exempt the IP address 192.168.1.100 from the standard rate limiting rules.
Adding multiple IP addresses or CIDR ranges
For multiple IPs or IP ranges using CIDR notation, use the multi-line format with the >- YAML syntax:
DISCOURSE_MAX_REQS_PER_IP_EXCEPTIONS: >-
10.0.0.0/24
172.16.10.0/16
192.168.1.50
2001:db8:c0:ffee::/64
This configuration exempts:
- the entire
10.0.0.0/24network (256 IP addresses) - the entire
172.16.10.0/16network (65,536 IP addresses) - the single IP address
192.168.1.50 - the entire
2001:db8:c0:ffee::/64network (IPv6)
Ensure proper YAML formatting, particularly when using the multi-line syntax with
>-
Rebuild
After modifying the container configuration, you’ll need to rebuild the container for changes to take effect:
cd /var/discourse
./launcher rebuild app
Security considerations
Be cautious when adding IP addresses to the allowlist. Each exempted IP or range bypasses Discourse’s built-in protection against abuse and excessive traffic.
Best practices:
- Only allowlist IPs that have a legitimate business need (e.g., monitoring services, API integrations, trusted partners)
- Use the most specific IP ranges possible rather than large networks
- Regularly review your allowlist and remove IPs that no longer require exemption
Remember: an overly permissive allowlist can expose your site to potential abuse or denial-of-service scenarios.
Troubleshooting
If you’re still experiencing rate limit errors despite configuring exceptions:
- verify the correct IP addresses are being used in your configuration
- check that the container was properly rebuilt after the configuration change
- examine the Discourse logs for rate limit messages related to the IPs in question
- if you are using a proxy/load balancer, ensure that is correctly forwarding the original client IP