Rate Limiting w/ Reverse Proxy

forkythetoy · November 16, 2021, 8:26pm

Had a question on what header is being used for rate-limiting. For context we have an nginx.conf w/ set_real_ip and we’re using a provider that sends us traffic with the client’s actual IP in Some-Client-IP header.

  sendfile on;
set_real_ip_from ...;
set_real_ip_from ...;
set_real_ip_from ...;
set_real_ip_from ...;

real_ip_header Some-Client-IP;
real_ip_recursive on;

Some-Client-IP is what we get from upstream w/ the actual user’s IP.

In the current discourse.conf in conf.d for nginx. We have the default:

For I think all the routes in general

    proxy_set_header Host $http_host;
    proxy_set_header X-Request-Start "t=${msec}";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $thescheme;
    proxy_pass http://discourse;

Does Discourse look at X-Forwarded-For or X-Real-IP for rate limiting? I think it’s looking at X-Forwarded-For because in production.log I see my rever proxy’s IP. Is the correct solution to change X-Forwarded-For to look at $remote_addr also?

From this thread, it seems like someone just deleted that line outright Last IP shows Reverse Proxy IP address - #5 by schleifer

Thanks

pfaffman · November 16, 2021, 9:25pm

Did you add that stanza to your app.yml? Those settings need to be in the NGINX that is inside the container. See also Set up Discourse on a server with existing Apache sites. That’s for Apache, but the part that goes in app.yml is the same regardless of what is doing the reverse proxy.

forkythetoy · November 16, 2021, 10:45pm

Those stanzas are in the current nginx.conf instead our container under conf.d/discourse.conf.

For the app.yml portion did you mean

run:
  - replace:
      filename: /etc/nginx/conf.d/discourse.conf
      from: "types {"
      to: |
        set_real_ip_from 172.17.0.0/24;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
        types {

We don’t have HAProxy on the outside of the containers, we have a DNS provider that does some pre-processing for us so the real_ip_header is in another header value, and we actually have a list of IP addresses that need to be replaced.

We actually also have see a list of X-Forwarded-For, I’m wondering if that’s the cause for the wrong IP’s to show up.

For example, I think we see 111.11.11.111 in the production logs, but not 55.555.55.55 which is what we want (as it’s set in x-real-ip)

HTTP_X_FORWARDED_FOR	111.11.11.111, 22.22.22.222, 333.33.33.333, 55.555.55.55
HTTP_X_REAL_IP	55.555.55.55

pfaffman · November 16, 2021, 11:57pm

Then you’ll need to adjust the recommended configuration accordingly.

Or, if you don’t care about ip addresses or rate limiting, you can remind the rate limiting template.

Topic		Replies	Views
Last IP shows Reverse Proxy IP address Support	6	2333	October 8, 2022
Troubleshooting a 429 (rate limit) Installation	20	5603	November 9, 2018
Possible to not log user IP addresses? Support	20	5274	March 25, 2023
Discourse reports user ips as the load balancer Dev	8	1474	June 2, 2016
Discourse socketed: Nginx in front of discourse: no IP adresses Installation	6	2616	October 5, 2018

Rate Limiting w/ Reverse Proxy

Related topics