0π
I was able to properly retrieve the clientβs IP address by setting the NUM_PROXIES setting in the DRF configuration. This setting determines how many proxy servers the DRF should trust in the XFF header and is therefore able to pick the right IP address.
Since I only had one proxy server, I set NUM_PROXIES to 1:
REST_FRAMEWORK = {
β¦
'NUM_PROXIES': 1
}
In addition to this, I changed the Gunicorn log format to be able to observe the XFF header in the access logs. I then realized that nginx did in fact correctly append the IP to the XFF header.
1π
DRF throttling is not a reliable solution to mitigate DDOS attacks. There are some known vulnerabilities to bypass DRF throttling in the wild:
- security vulnerability: bypass throttling
- Bypass Throttling based on source ip address
- Implementing Django-rest API Throttling and Unauthenticated bypass
It is highly recommended to use other 3rd party solutions for DDOS and brute force mitigation.
You can customize DRF throttling to patch the mentioned vulnerability. But keep in mind it is not the secure solution!
DRF throttling uses X-Forwarded-For HTTP header to generate a key to limit access. As described in the official docs, customization is implemented by inheriting throttling.BaseThrottle:
class RandomRateThrottle(throttling.BaseThrottle):
def allow_request(self, request, view) -> bool:
# Your custom logic here...
Request header is available in allow_request() and you can use other fields (like User-Agent)to check the uniqueness of the request originator. You can also add a little randomness.
Check here for a list of HTTP header fields.
Note: allow_request() should return a boolean.
Note: Checking other fields patches only your mentioned vulnerability, and it is just better than the defaults.