How to make Rack::Attack work behind a load balancer?

Question

I used the example throttle code for Rack::Attack.

throttle('req/ip', limit: 100, period: 5.minutes) do |req|
  req.ip unless req.path.starts_with?('/assets')
end

This worked great on our staging server but immediately ran into the limit on production because req.ip returns the IP address of our load balancer and not the remote_ip of the client.

Note that remote_ip is a method in ActionDispatch::Request but not Rack::Attack::Request.

We are using Rails 3.2.2 on Ruby 2.2.

Kevin Lawrence · Accepted Answer · 2015-11-04T22:45:06.323

5

I was able to get it working by adding a method to Rack::Attack::Request

class Rack::Attack
  class Request < ::Rack::Request
    def remote_ip
      @remote_ip ||= (env['action_dispatch.remote_ip'] || ip).to_s
    end
  end
end

then using

req.remote_ip unless req.path.starts_with?('/assets')

edited Nov 04 '15 at 22:45

answered Nov 04 '15 at 22:40

Kevin Lawrence

698
7
23

Why not just whitelist the path /assets ? – fatfrog Nov 28 '17 at 07:44
That solves the problem for the specific case of /assets but does not solve the more general problem of every request having the same client IP address. – Kevin Lawrence Nov 28 '17 at 13:33

How to make Rack::Attack work behind a load balancer?

1 Answers1