I'm using The AspNetCoreRateLimit package and requests rate limit per times has been controlled but when change X-Real-IP in request then rate limit reset.
its part of my code:
"IpRateLimiting": {
"EnableEndpointRateLimiting": true,
"StackBlockedRequests": false,
"RealIpHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"IpWhitelist": [ "127.0.0.1" ],
"EndpointWhitelist": [ "*:/assets/*" ],
"ClientWhitelist": [],
.
.
.
}
how can prevent this security issue?
CodePudding user response:
Your rules should be like below.
"IpRateLimitPolicies": {
"IpRules": [
{
"Ip": "84.247.85.224",
"Rules": [
{
"Endpoint": "*",
"Period": "1s",
"Limit": 10
},
{
"Endpoint": "*",
"Period": "15m",
"Limit": 200
}
]
},
{
"Ip": "192.168.3.22/25",
"Rules": [
{
"Endpoint": "*",
"Period": "1s",
"Limit": 5
},
{
"Endpoint": "*",
"Period": "15m",
"Limit": 150
},
{
"Endpoint": "*",
"Period": "12h",
"Limit": 500
}
]
}
]
}
For more details, please read this article.
CodePudding user response:
in the settings of nginx in path /etc/nginx/sites-enabled
in the Location section add this line:
proxy_set_header X-Real-IP $remote_addr;