Comments (7)
You can use this version: https://github.com/ulule/limiter/releases/tag/v3.1.0
Cheers,
from limiter.
Hello,
Sorry in advance but I'm not sure to understand the issue here... So, I'll try to respond (and explain) as much as I can.
Since the limiter object is instantiated early before the server stats and then shared among different requests whose IPs are different.
Yeah that's the purpose.
Either your application is publicly facing the network (so it has a public IP on the internet) and you shouldn't rely on X-Real-IP
and X-Forwarded-For
headers because, someone could spoof (or forge) an IP address to manipulate your limiter counters.
Or, you have a reverse proxy (or a load balancer, a frontend, etc...) that will forward public request from the internet into the private network of your application, so you have to trust X-Real-IP
and X-Forwarded-For
headers because otherwise, you'll limit your reverse proxy and not the users. Doing both is an anti pattern in my opinion, you shouldn't do that.
IMHO the TrustForwardHeader should vary based on how much the server trusts the IP and should not be as a config rule.
With this previous explanation, you shouldn't. It should be a config rule because you know if your application will be deployed on a public network, or a private one.
However, it's possible that I've completely missed your point. In such case, could you provide an example of your network topology and/or an example so I could understand.
Also the change of GetIP is not backward compatible - AKA broke my build :)
Yeah, that's why we released a new major version v3.0.0
that indicate a compatibility break.
If you're not familiar with the Semantic Versioning approach, you can read this website: https://semver.org/
Or fallback to an older version, like v2.2.2
.
Regards,
from limiter.
Thanks for the detailed reply. You understood the question perfectly.
Or, you have a reverse proxy (or a load balancer, a frontend, etc...) that will forward public request from the internet into the private network of your application, so you have to trust
X-Real-IP
andX-Forwarded-For
headers because otherwise, you'll limit your reverse proxy and not the users. Doing both is an anti pattern in my opinion, you shouldn't do that.
I think this should be left to the developer to decide on how the server is being setup. On a small scale you could lock your server behind a load balancer or varnish, but in practice, if your app is on Kubernetes for ex then you would need to dynamically request new set of IPs to update your rate limiter. And you probably don't want to restart your node every time you are doing that.
Also remember that the old GetIP() gave the option to the developer to manage it internally, either via a config or conditionally, but the new function does not.
from limiter.
I think this should be left to the developer to decide on how the server is being setup.
Yeah, you can do that by using WithTrustForwardHeader
function, that create an Option
for limiter.New
, so you can decide if you want to trust X-Real-IP
and X-Forwarded-For
headers. Is that what you're looking for ?
Nevertheless, you can create a custom middleware if the current implementation doesn't suit you.
Just change middleware.Limiter.GetIPKey(r)
by a custom handler that can dynamically accept or refuse these headers from your dynamic configuration.
Cheers,
from limiter.
What I meant is that the proxy IPs will change over time and the server should take care of it dynamically. Please take a look at https://gist.github.com/gadelkareem/5a087bfda1f673241d0ac65759156cfd the cloudflare IPs are subject to change over time and you will probably need to update it without the need to restart the server.
from limiter.
Can you look at this new function and tell me if you'll use it?
https://github.com/ulule/limiter/blob/feat/network-functions/network.go#L34
Otherwise, I won't merge this into upstream.
Thanks.
from limiter.
Looks good!
from limiter.
Related Issues (20)
- Reintroduce Ping function to the Client interface HOT 3
- Feature Request: Please can you add rqlite as store HOT 2
- Limit for every 5 minute HOT 1
- Please consider adding SkipList option HOT 1
- Rate limiting based on custom identity HOT 2
- ERR bad lua script for redis cluster HOT 1
- Which time windows does this limiter use? HOT 1
- Custom keys? HOT 1
- limit of dynamic route HOT 1
- Should use the rightmost ip in x-forwarded-for, if used at all HOT 7
- another dynamic limit need HOT 9
- Limiters with momery store are not working as expected HOT 3
- A key can be limited forever HOT 2
- About algorithms HOT 2
- Consider changing the in memory cache library HOT 1
- I plan to consider using limiter middleware in the management system
- Gin Middleware Limiter with momery store are not working
- Consider support long time connection rate limit (Websocket) HOT 1
- Add custom Header value for limiter Option
- Feature Request: Please support goframe framework HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from limiter.