From c73f8aefc5a4dfa0676a37d69abdc3a4c618d9de Mon Sep 17 00:00:00 2001 From: ElvioRibeiro <83252894+ElvioRibeiro@users.noreply.github.com> Date: Thu, 8 May 2025 20:10:30 -0300 Subject: [PATCH] feat: Allow support for trusted IPs to disable throttling (#11226) Co-authored-by: Pranav --- .env.example | 5 +++-- config/initializers/rack_attack.rb | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.env.example b/.env.example index b7ba0920d..2ab2933dc 100644 --- a/.env.example +++ b/.env.example @@ -2,7 +2,7 @@ # https://www.chatwoot.com/docs/self-hosted/configuration/environment-variables/#rails-production-variables # Used to verify the integrity of signed cookies. so ensure a secure value is set -# SECRET_KEY_BASE should be alphanumeric. Avoid special characters or symbols. +# SECRET_KEY_BASE should be alphanumeric. Avoid special characters or symbols. # Use `rake secret` to generate this variable SECRET_KEY_BASE=replace_with_lengthy_secure_hex @@ -216,6 +216,8 @@ ANDROID_SHA256_CERT_FINGERPRINT=AC:73:8E:DE:EB:56:EA:CC:10:87:02:A7:65:37:7B:38: # ENABLE_RACK_ATTACK=true # RACK_ATTACK_LIMIT=300 # ENABLE_RACK_ATTACK_WIDGET_API=true +# Comma-separated list of trusted IPs that bypass Rack Attack throttling rules +# RACK_ATTACK_ALLOWED_IPS=127.0.0.1,::1,192.168.0.10 ## Running chatwoot as an API only server ## setting this value to true will disable the frontend dashboard endpoints @@ -257,4 +259,3 @@ AZURE_APP_SECRET= # Set to true if you want to remove stale contact inboxes # contact_inboxes with no conversation older than 90 days will be removed # REMOVE_STALE_CONTACT_INBOX_JOB_STATUS=false - diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index b61cb8a8b..f147cbf57 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -21,8 +21,9 @@ class Rack::Attack end def allowed_ip? - allowed_ips = ['127.0.0.1', '::1'] - allowed_ips.include?(remote_ip) + default_allowed_ips = ['127.0.0.1', '::1'] + env_allowed_ips = ENV.fetch('RACK_ATTACK_ALLOWED_IPS', '').split(',').map(&:strip) + (default_allowed_ips + env_allowed_ips).include?(remote_ip) end # Rails would allow requests to paths with extentions, so lets compare against the path with extention stripped @@ -32,6 +33,17 @@ class Rack::Attack end end + ### Safelist IPs from Environment Variable ### + # + # This block ensures requests from any IP present in RACK_ATTACK_ALLOWED_IPS + # will bypass Rack::Attackā€™s throttling rules. + # + # Example: RACK_ATTACK_ALLOWED_IPS="127.0.0.1,::1,192.168.0.10" + + Rack::Attack.safelist('trusted IPs') do |req| + req.allowed_ip? + end + ### Throttle Spammy Clients ### # If any single client IP is making tons of requests, then they're