I'm using The AspNetCoreRateLimit package and requests rate limit per times has been controlled but when change X-Real-IP in request then rate limit reset.

its part of my code:

"IpRateLimiting": {
    "EnableEndpointRateLimiting": true,
    "StackBlockedRequests": false,
    "RealIpHeader": "X-Real-IP",
    "ClientIdHeader": "X-ClientId",
    "HttpStatusCode": 429,
    "IpWhitelist": [ "127.0.0.1" ],
    "EndpointWhitelist": [ "*:/assets/*" ],
    "ClientWhitelist": [],
.
.
.
}

how can prevent this security issue?

CodePudding user response：

Your rules should be like below.

"IpRateLimitPolicies": {
"IpRules": [
  {
    "Ip": "84.247.85.224",
    "Rules": [
      {
        "Endpoint": "*",
        "Period": "1s",
        "Limit": 10
      },
      {
        "Endpoint": "*",
        "Period": "15m",
        "Limit": 200
      }
    ]
  },
  {
    "Ip": "192.168.3.22/25",
    "Rules": [
      {
        "Endpoint": "*",
        "Period": "1s",
        "Limit": 5
      },
      {
        "Endpoint": "*",
        "Period": "15m",
        "Limit": 150
      },
      {
        "Endpoint": "*",
        "Period": "12h",
        "Limit": 500
      }
    ]
  }
]
}

For more details, please read this article.

CodePudding user response：

in the settings of nginx in path /etc/nginx/sites-enabled in the Location section add this line:

proxy_set_header X-Real-IP $remote_addr;