security icon indicating copy to clipboard operation
security copied to clipboard
verified publisher icon opensearch-project

[FEATURE/BUG] IP rate-limiting should support limiting based on remote client headers (e.g. header like X-Forwarded-For)

Open shikharj05 opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Yes, Currently IP-rate limiting works solely on client IP addresses; it doesn't support setups where access to OpenSearch is configured via dashboards as dashboards would override client-IP address to it's own address.

What solution would you like? Security plugin should support a way for users to configure IP based rate limiting using extra information like X-Forwarded-For headers. We can opt for ignore_host_ips or something like source_ip_header (or maybe remote_header/client_ip_header) Examples-

auth_failure_listeners:
      ip_rate_limiting:
        type: ip
        ignore_host_ips: ['ip1', 'ip2']
        source_ip_header: 'x-forwarded-for'
        allowed_tries: 1
        time_window_seconds: 20
        block_expiry_seconds: 180
        max_blocked_clients: 100000
        max_tracked_clients: 100000

What alternatives have you considered? NA

shikharj05 avatar Apr 17 '24 16:04 shikharj05

[Triage] Hi @shikharj05 thank you for filing this issue. Feel free to open a PR introducing this feature and the maintainers can review.

stephen-crawford avatar Apr 22 '24 15:04 stephen-crawford

@cwperks @kkhatua - FYI

pajuric avatar May 21 '24 23:05 pajuric

@DarshitChanpura/ @cwperks - should we open another item to track support for custom source_ip_header?

shikharj05 avatar Jul 31 '24 02:07 shikharj05