Introduce AUTH_RATELIMIT_EXEMPTION

This disables rate limiting on specific CIDRs
3 years ago · 99c81c20a7
parent c674f1567a
commit 99c81c20a7
4 changed files with 12 additions and 1 deletions
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@ -40,6 +40,7 @@ DEFAULT_CONFIG = {
    'AUTH_RATELIMIT_IP_V4_MASK': 24,
    'AUTH_RATELIMIT_IP_V6_MASK': 56,
    'AUTH_RATELIMIT_USER': '100/day',
+    'AUTH_RATELIMIT_EXEMPTION': '',
    'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
    'DISABLE_STATISTICS': False,
    # Mail settings
--- a/core/admin/mailu/limiter.py
+++ b/core/admin/mailu/limiter.py
@ -39,7 +39,7 @@ class LimitWraperFactory(object):
        return LimitWrapper(self.limiter, limits.parse(limit), *args)

    def is_subject_to_rate_limits(self, ip):
-        return not (self.storage.get(f'exempt-{ip}') > 0)
+        return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)

    def exempt_ip_from_ratelimits(self, ip):
        self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@ -79,6 +79,12 @@ def extract_network_from_ip(ip):
    else:
        return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)

+def is_exempt_from_ratelimits(ip):
+    for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]:
+        if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False):
+            return False
+    return True
+
 # Application translation
 babel = flask_babel.Babel()

--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -55,6 +55,10 @@ after a successful login for which a specific IP address is exempted from rate l
 This ensures that users behind a NAT don't get locked out when a single client is
 misconfigured... but also potentially allow for users to attack each-other.

+The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network
+CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0``
+there is a good way to disable rate limiting altogether.
+
 The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
 ``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.