self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-07-15 01:24:34 +02:00
Code Issues Releases Activity

Introduce AUTH_RATELIMIT_EXEMPTION

Browse Source 
This disables rate limiting on specific CIDRs
This commit is contained in:
Florent Daigniere
2021-10-16 10:26:38 +02:00
parent c674f1567a
commit 99c81c20a7
4 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
core/admin/mailu/configuration.py
View File

@ -40,6 +40,7 @@ DEFAULT_CONFIG = {
'AUTH_RATELIMIT_IP_V4_MASK': 24,
'AUTH_RATELIMIT_IP_V6_MASK': 56,
'AUTH_RATELIMIT_USER': '100/day',
'AUTH_RATELIMIT_EXEMPTION': '',
'AUTH_RATELIMIT_EXEMPTION_LENGTH': 86400,
'DISABLE_STATISTICS': False,
# Mail settings

2
core/admin/mailu/limiter.py
View File

@ -39,7 +39,7 @@ class LimitWraperFactory(object):
return LimitWrapper(self.limiter, limits.parse(limit), *args)
def is_subject_to_rate_limits(self, ip):
return not (self.storage.get(f'exempt-{ip}') > 0)
return False if utils.is_subject_to_rate_limits(ip) else not (self.storage.get(f'exempt-{ip}') > 0)
def exempt_ip_from_ratelimits(self, ip):
self.storage.incr(f'exempt-{ip}', app.config["AUTH_RATELIMIT_EXEMPTION_LENGTH"], True)

6
core/admin/mailu/utils.py
View File

@ -79,6 +79,12 @@ def extract_network_from_ip(ip):
else:
return str(n.supernet(prefixlen_diff=(128-int(app.config["AUTH_RATELIMIT_IP_V6_MASK"]))).network_address)
def is_exempt_from_ratelimits(ip):
for range in [net.strip() for net in app.config['AUTH_RATELIMIT_EXEMPTION'].split(',')]:
if ipaddress.ip_address(ip) in ipaddress.ip_network(ip, False):
return False
return True
# Application translation
babel = flask_babel.Babel()

4
docs/configuration.rst
View File

@ -55,6 +55,10 @@ after a successful login for which a specific IP address is exempted from rate l
This ensures that users behind a NAT don't get locked out when a single client is
misconfigured... but also potentially allow for users to attack each-other.
The ``AUTH_RATELIMIT_EXEMPTION`` (default: '') is a comma separated list of network
CIDRs that won't be subject to any form of rate limiting. Specifying ``0.0.0.0/0, ::/0``
there is a good way to disable rate limiting altogether.
The ``TLS_FLAVOR`` sets how Mailu handles TLS connections. Setting this value to
``notls`` will cause Mailu not to server any web content! More on :ref:`tls_flavor`.