Implement authentication rate limit, fixes #116

master
kaiyou 7 years ago
parent 716e166b11
commit 19fe73b388

@ -33,6 +33,9 @@ POSTMASTER=admin
# Choose how secure connections will behave (value: letsencrypt, cert, notls) # Choose how secure connections will behave (value: letsencrypt, cert, notls)
TLS_FLAVOR=cert TLS_FLAVOR=cert
# Authentication rate limit (per source IP address)
AUTH_RATELIMIT=10/minute;1000/hour
################################### ###################################
# Optional features # Optional features
################################### ###################################

@ -5,6 +5,7 @@ import flask_login
import flask_script import flask_script
import flask_migrate import flask_migrate
import flask_babel import flask_babel
import flask_limiter
import os import os
import docker import docker
@ -35,6 +36,8 @@ default_config = {
'CERTS_PATH': '/certs', 'CERTS_PATH': '/certs',
'PASSWORD_SCHEME': 'SHA512-CRYPT', 'PASSWORD_SCHEME': 'SHA512-CRYPT',
'WEBMAIL': 'none', 'WEBMAIL': 'none',
'AUTH_RATELIMIT': '10/minute;1000/hour',
'RATELIMIT_STORAGE_URL': 'redis://redis'
} }
# Load configuration from the environment if available # Load configuration from the environment if available
@ -45,6 +48,7 @@ for key, value in default_config.items():
flask_bootstrap.Bootstrap(app) flask_bootstrap.Bootstrap(app)
db = flask_sqlalchemy.SQLAlchemy(app) db = flask_sqlalchemy.SQLAlchemy(app)
migrate = flask_migrate.Migrate(app, db) migrate = flask_migrate.Migrate(app, db)
limiter = flask_limiter.Limiter(app, key_func=lambda: current_user.username)
# Debugging toolbar # Debugging toolbar
if app.config.get("DEBUG"): if app.config.get("DEBUG"):

@ -1,10 +1,14 @@
from mailu import db, models from mailu import db, models, app, limiter
from mailu.internal import internal, nginx from mailu.internal import internal, nginx
import flask import flask
@internal.route("/auth/email") @internal.route("/auth/email")
@limiter.limit(
app.config["AUTH_RATELIMIT"],
lambda: flask.request.headers["Client-Ip"]
)
def nginx_authentication(): def nginx_authentication():
""" Main authentication endpoint for Nginx email server """ Main authentication endpoint for Nginx email server
""" """

@ -15,6 +15,7 @@ Flask==0.12.2
Flask-Babel==0.11.2 Flask-Babel==0.11.2
Flask-Bootstrap==3.3.7.1 Flask-Bootstrap==3.3.7.1
Flask-DebugToolbar==0.10.1 Flask-DebugToolbar==0.10.1
Flask-Limiter==0.9.5.1
Flask-Login==0.4.0 Flask-Login==0.4.0
Flask-Migrate==2.1.1 Flask-Migrate==2.1.1
Flask-Script==2.0.6 Flask-Script==2.0.6
@ -26,6 +27,7 @@ infinity==1.4
intervals==0.8.0 intervals==0.8.0
itsdangerous==0.24 itsdangerous==0.24
Jinja2==2.9.6 Jinja2==2.9.6
limits==1.2.1
Mako==1.0.7 Mako==1.0.7
MarkupSafe==1.0 MarkupSafe==1.0
passlib==1.7.1 passlib==1.7.1
@ -35,6 +37,7 @@ python-dateutil==2.6.1
python-editor==1.0.3 python-editor==1.0.3
pytz==2017.2 pytz==2017.2
PyYAML==3.12 PyYAML==3.12
redis==2.10.6
requests==2.18.4 requests==2.18.4
six==1.11.0 six==1.11.0
SQLAlchemy==1.1.14 SQLAlchemy==1.1.14

@ -7,6 +7,8 @@ Flask-migrate
Flask-script Flask-script
Flask-wtf Flask-wtf
Flask-debugtoolbar Flask-debugtoolbar
Flask-limiter
redis
WTForms-Components WTForms-Components
passlib passlib
gunicorn gunicorn

Loading…
Cancel
Save