Rate Limiting w/ Reverse Proxy

Had a question on what header is being used for rate-limiting. For context we have an nginx.conf w/ set_real_ip and we’re using a provider that sends us traffic with the client’s actual IP in Some-Client-IP header.

  sendfile on;
set_real_ip_from ...;
set_real_ip_from ...;
set_real_ip_from ...;
set_real_ip_from ...;

real_ip_header Some-Client-IP;
real_ip_recursive on;

Some-Client-IP is what we get from upstream w/ the actual user’s IP.

In the current discourse.conf in conf.d for nginx. We have the default:

For I think all the routes in general

    proxy_set_header Host $http_host;
    proxy_set_header X-Request-Start "t=${msec}";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $thescheme;
    proxy_pass http://discourse;

Does Discourse look at X-Forwarded-For or X-Real-IP for rate limiting? I think it’s looking at X-Forwarded-For because in production.log I see my rever proxy’s IP. Is the correct solution to change X-Forwarded-For to look at $remote_addr also?

From this thread, it seems like someone just deleted that line outright Last IP shows Reverse Proxy IP address - #5 by schleifer

Thanks

1 Like

Did you add that stanza to your app.yml? Those settings need to be in the NGINX that is inside the container. See also Set up Discourse on a server with existing Apache sites. That’s for Apache, but the part that goes in app.yml is the same regardless of what is doing the reverse proxy.

Those stanzas are in the current nginx.conf instead our container under conf.d/discourse.conf.

For the app.yml portion did you mean

run:
  - replace:
      filename: /etc/nginx/conf.d/discourse.conf
      from: "types {"
      to: |
        set_real_ip_from 172.17.0.0/24;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
        types {

We don’t have HAProxy on the outside of the containers, we have a DNS provider that does some pre-processing for us so the real_ip_header is in another header value, and we actually have a list of IP addresses that need to be replaced.

We actually also have see a list of X-Forwarded-For, I’m wondering if that’s the cause for the wrong IP’s to show up.

For example, I think we see 111.11.11.111 in the production logs, but not 55.555.55.55 which is what we want (as it’s set in x-real-ip)

HTTP_X_FORWARDED_FOR	111.11.11.111, 22.22.22.222, 333.33.33.333, 55.555.55.55
HTTP_X_REAL_IP	55.555.55.55

Then you’ll need to adjust the recommended configuration accordingly.

Or, if you don’t care about ip addresses or rate limiting, you can remind the rate limiting template.

1 Like