feat: Allow support for trusted IPs to disable throttling (#11226)

Co-authored-by: Pranav <pranav@chatwoot.com>
2025-11-01 19:48:08 +00:00 · 2025-05-08 20:10:30 -03:00
parent 823c3df27f
commit c73f8aefc5
2 changed files with 17 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,7 @@
 # https://www.chatwoot.com/docs/self-hosted/configuration/environment-variables/#rails-production-variables

 # Used to verify the integrity of signed cookies. so ensure a secure value is set
-# SECRET_KEY_BASE should be alphanumeric. Avoid special characters or symbols. 
+# SECRET_KEY_BASE should be alphanumeric. Avoid special characters or symbols.
 # Use `rake secret` to generate this variable
 SECRET_KEY_BASE=replace_with_lengthy_secure_hex

@@ -216,6 +216,8 @@ ANDROID_SHA256_CERT_FINGERPRINT=AC:73:8E:DE:EB:56:EA:CC:10:87:02:A7:65:37:7B:38:
 # ENABLE_RACK_ATTACK=true
 # RACK_ATTACK_LIMIT=300
 # ENABLE_RACK_ATTACK_WIDGET_API=true
+# Comma-separated list of trusted IPs that bypass Rack Attack throttling rules
+# RACK_ATTACK_ALLOWED_IPS=127.0.0.1,::1,192.168.0.10

 ## Running chatwoot as an API only server
 ## setting this value to true will disable the frontend dashboard endpoints
@@ -257,4 +259,3 @@ AZURE_APP_SECRET=
 # Set to true if you want to remove stale contact inboxes
 # contact_inboxes with no conversation older than 90 days will be removed
 # REMOVE_STALE_CONTACT_INBOX_JOB_STATUS=false
-
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -21,8 +21,9 @@ class Rack::Attack
    end

    def allowed_ip?
-      allowed_ips = ['127.0.0.1', '::1']
-      allowed_ips.include?(remote_ip)
+      default_allowed_ips = ['127.0.0.1', '::1']
+      env_allowed_ips = ENV.fetch('RACK_ATTACK_ALLOWED_IPS', '').split(',').map(&:strip)
+      (default_allowed_ips + env_allowed_ips).include?(remote_ip)
    end

    # Rails would allow requests to paths with extentions, so lets compare against the path with extention stripped
@@ -32,6 +33,17 @@ class Rack::Attack
    end
  end

+  ### Safelist IPs from Environment Variable ###
+  #
+  # This block ensures requests from any IP present in RACK_ATTACK_ALLOWED_IPS
+  # will bypass Rack::Attack’s throttling rules.
+  #
+  # Example: RACK_ATTACK_ALLOWED_IPS="127.0.0.1,::1,192.168.0.10"
+
+  Rack::Attack.safelist('trusted IPs') do |req|
+    req.allowed_ip?
+  end
+
  ### Throttle Spammy Clients ###

  # If any single client IP is making tons of requests, then they're