Commit Graph

10 Commits

Author SHA1 Message Date
Akihiko Odaki a7e71bbd08 Add a missing question mark in rack_attack.rb () 2018-05-03 18:51:00 +02:00
Akihiko Odaki b1d4471e36 Throttle media post ()
The previous rate limit allowed to post media so fast that it is possible
to fill up the disk space even before an administrator notices. The new
rate limit is configured so that it takes 24 hours to eat 10 gigabytes:
10 * 1024 / 8 / (24 * 60 / 30) = 27 (which rounded to 30)

The period is set long so that it does not prevent from attaching several
media to one post, which would happen in a short period. For example,
if the period is 5 minutes, the rate limit would be:
10 * 1024 / 8 / (24 * 60 / 5) = 4

This long period allows to lift the limit up.
2018-05-03 17:32:00 +02:00
Eugen Rochko 921b781909
Increase rate limit on protected paths ()
Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
2018-01-09 17:07:54 +01:00
Eugen Rochko feed07227b
Apply a 25x rate limit by IP even to authenticated requests () 2017-12-11 15:32:29 +01:00
Naoki Kosaka 4bce376fdc Missing require 'authorization_decorator'. () 2017-12-09 15:12:10 +01:00
Eugen Rochko a865b62efc
Rate limit by user instead of IP when API user is authenticated ()
* Fix  - Rate limit by user instead of IP when API user is authenticated

* Fix code style issue

* Use request decorator provided by Doorkeeper
2017-12-09 14:20:02 +01:00
unarist b42c018bb8 Add Content-Type header on throttled response to fix mojibake ()
application/json only allows Unicode, so this prevents from wrong charset detection.
2017-08-08 15:47:35 +02:00
alpaca-tc db92eec876 Localize 'throttled' () 2017-05-03 23:36:19 +02:00
Tristan Mahé 964035b118 allow localhost to bypass the ratelimit () 2017-04-30 00:27:49 +02:00
Eugen ff5baa5349 Add rate limits for logins and sign-ups by IP (5 in 5 minutes) ()
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes)
Should be enough for normal attempts

* Add rate limit for forgotten password form as well
2017-04-18 22:29:14 +02:00
Renamed from config/initializers/rack-attack.rb (Browse further)