We’ve recently realised that some rate limiting in our rails app was actually rate limiting on the fly proxy ip’s – oops! Thankfully we’re a small volume app so this hasn’t massively impacted us, and we fixed it with the by clause such as in the example here:
rate_limit to: 25,
within: 1.hour,
by: -> { request.headers.fetch("Fly-Client-IP", request.remote_ip) },
with: -> {
redirect_to root_url, alert: "Too many attempts. Please try again later."
}
Note: we’re falling back to the request.remote_ip for times when there is no Fly-Client-IP header, namely local development.
However, the Rails logs etc. are obviously still showing the proxy IP’s, and remembering to set this by clause on each rate_limit isn’t ideal … is there some global way of setting this that I should know? My google-fu has failed me thus far.