Merge pull request #4566 from sul-dlss/cidr-abuse

Use rack-attack to throttle /16 and /24 ranges too.
sul-dlss · Feb 18, 2025 · 17e212f · 17e212f
2 parents 7df5903 + 2eba07c
commit 17e212f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
@@ -27,6 +27,30 @@
     req.ip if route[:controller] == 'catalog' && ['index', 'facet'].include?(route[:action])
   end
 
+  Rack::Attack.throttle('req/search/cidr/24', limit: 50, period: 1.minute) do |req|
+    route = begin
+      Rails.application.routes.recognize_path(req.path) || {}
+    rescue StandardError
+      {}
+    end
+
+    next if req.ip.start_with?('171.', '172.', '10.')
+
+    req.ip.slice(/^\d+\.\d+\.\d+\./) if route[:controller] == 'catalog' && ['index', 'facet'].include?(route[:action])
+  end
+
+  Rack::Attack.throttle('req/search/cidr/16', limit: 100, period: 1.minute) do |req|
+    route = begin
+      Rails.application.routes.recognize_path(req.path) || {}
+    rescue StandardError
+      {}
+    end
+
+    next if req.ip.start_with?('171.', '172.', '10.')
+
+    req.ip.slice(/^\d+\.\d+\./) if route[:controller] == 'catalog' && ['index', 'facet'].include?(route[:action])
+  end
+
   Rack::Attack.throttle('req/view/ip', limit: 500, period: 5.minutes) do |req|
     req.ip if req.path.start_with?('/view')
   end

diff --git a/config/settings.yml b/config/settings.yml
@@ -67,7 +67,7 @@ RECAPTCHA:
 IIIF_DND_BASE_URL: https://library.stanford.edu/iiif?%{query}
 REVISION: <%= File.read("#{Rails.root}/REVISION").chomp if File.exist?("#{Rails.root}/REVISION") %>
 LIB_GUIDES:
-  API_URL: 'https://example.com/1.1/guides'
+  API_URL: 'http://example.com/1.1/guides'
   APP_SEARCH_URL: 'https://guides.library.stanford.edu/srch.php?q=%{q}'
   KEY: 12345678123456781234567812345678
   MINI_BENTO_ENABLED: false