Throttling Solution For Shared IP Addresses

[dalezak]

I was trying to throttle logins by IP as such, however ran into an issue with some organizations sharing IP addresses.

Rack::Attack.blocklist 'blocklist allow2ban logins' do |req|
   Rack::Attack::Allow2Ban.filter req.ip, maxretry: 5, findtime: 1.minute, bantime: 1.hour do
     if req.post? && (req.path == '/users/signin' || req.path == '/users/signin.json')
       req.ip
     end
  end
end

Is there a solution or best practise for organizations using shared IP addresses? For example a school's computer lab where all terminals use the same public IP?

[dalezak]

I saw a few posts suggesting the following, would this work for my case?

class Rack::Attack
  class Request < ::Rack::Request
    def remote_ip
      @remote_ip ||= (env['action_dispatch.remote_ip'] || env['HTTP_X_FORWARDED_FOR'] || ip).to_s
    end
  end
end

[inspire22]

So I got bit by this when implementing rack-attack - I actually think it's a pretty major problem considering this has rails connections but rack obviously doesn't have the rails nice request.remote_ip to handle this, so 99% of rails people are going to have this problem.

One problem with the solution above though is that HTTP_X_FORWARDED_FOR can be a comma split string if there's more than one proxy server? But that makes this a lot more complicated

realip = request.env['HTTP_X_FORWARDED_FOR'].split(',').first if request.env['HTTP_X_FORWARDED_FOR']&.is_a?(String)

[mpalmer]

Rack has Request::Rack#ip, which should do the needful.

[inspire22]

Strange, using just .ip it immediately blocked all bots since it was using my local IP. Maybe there's something incompatible with their "reject_trusted_ip_addresses" junk & the default nginx proxy_pass handling of it. I'll keep looking, but for some reason the code above worked when rack request.ip did not. https://www.rubydoc.info/gems/rack/1.5.0/Rack%2FRequest:ip

[mpalmer]

It probably didn't work because you didn't tell Rack what your trusted upstream proxies are. It's not "junk" to prevent untrusted proxies from lying to your service about what IP address they're coming from, because that way lies trivial DoS attacks.

[inspire22]

By "junk" I mean code I don't understand and that has no documentation :)

"ip" being two characters really limits searching for it unfortunately. Looks like maybe I set it with this in an initializer? And maybe that it's able to be smart enough to resolve a hostname for me?

Rack::Request.ip_filter = lambda { |ip| ip =~ /\A127.0.0.1\Z|\A(10|172.(1[6-9]|2[0-9]|30|31)|192.168).|\A::1\Z|\Afd[0-9a-f]{2}:.+|\Alocalhost\Z|\Aunix\Z|\Aunix:/i }