From d4eb21c2d9735e05041ecfc984974aaaec941123 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Sat, 25 Dec 2021 01:10:21 +0100 Subject: [PATCH] Better document the new rate limiting --- .env.template | 11 +++++++++++ src/config.rs | 6 +++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/.env.template b/.env.template index ca6962b4..7fcbbfcb 100644 --- a/.env.template +++ b/.env.template @@ -268,6 +268,17 @@ ## Multiple values must be separated with a whitespace. # ALLOWED_IFRAME_ANCESTORS= +## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. +# LOGIN_RATELIMIT_SECONDS=60 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. +## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. +# LOGIN_RATELIMIT_MAX_BURST=10 + +## Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in. +# ADMIN_RATELIMIT_SECONDS=300 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. +# ADMIN_RATELIMIT_MAX_BURST=3 + ## Yubico (Yubikey) Settings ## Set your Client ID and Secret Key for Yubikey OTP ## You can generate it here: https://upgrade.yubico.com/getapikey/ diff --git a/src/config.rs b/src/config.rs index 7312a6c2..5bbe8575 100644 --- a/src/config.rs +++ b/src/config.rs @@ -512,12 +512,12 @@ make_config! { /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets allowed_iframe_ancestors: String, true, def, String::new(); - /// Seconds between login requests |> Number of seconds, on average, between login requests before rate limiting kicks in. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2 + /// Seconds between login requests |> Number of seconds, on average, between login and 2FA requests from the same IP address before rate limiting kicks in login_ratelimit_seconds: u64, false, def, 60; - /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds` + /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `login_ratelimit_seconds`. Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2 login_ratelimit_max_burst: u32, false, def, 10; - /// Seconds between admin requests |> Number of seconds, on average, between admin requests before rate limiting kicks in + /// Seconds between admin requests |> Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in admin_ratelimit_seconds: u64, false, def, 300; /// Max burst size for login requests |> Allow a burst of requests of up to this size, while maintaining the average indicated by `admin_ratelimit_seconds` admin_ratelimit_max_burst: u32, false, def, 3;