Introduce AUTH_RATELIMIT_EXEMPTION

This disables rate limiting on specific CIDRs
master
Florent Daigniere 3 years ago
parent c674f1567a
commit 99c81c20a7

@ -40,6 +40,7 @@ DEFAULT_CONFIG = {
'AUTH_RATELIMIT_IP_V4_MASK': 24,
'AUTH_RATELIMIT_IP_V6_MASK': 56,
'AUTH_RATELIMIT_USER': '100/day',
'AUTH_RATELIMIT_EXEMPTION': '',
'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
'DISABLE_STATISTICS': False,
# Mail settings

@ -39,7 +39,7 @@ class LimitWraperFactory(object):
return LimitWrapper(self.limiter, limits.parse(limit), *args)
def is_subject_to_rate_limits(self, ip):
return not (self.storage.get(f'exempt-{ip}') > 0)
return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
def exempt_ip_from_ratelimits(self, ip):
self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)

@ -79,6 +79,12 @@ def extract_network_from_ip(ip):
else:
return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
def is_exempt_from_ratelimits(ip):
for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]:
if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False):
return False
return True
# Application translation
babel = flask_babel.Babel()

@ -55,6 +55,10 @@ after a successful login for which a specific IP address is exempted from rate l
This ensures that users behind a NAT don't get locked out when a single client is
misconfigured... but also potentially allow for users to attack each-other.
The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network
CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0``
there is a good way to disable rate limiting altogether.
The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.

Loading…
Cancel
Save