diff --git a/config/default.yaml b/config/default.yaml index 70b10299d..f8be23d69 100644 --- a/config/default.yaml +++ b/config/default.yaml @@ -9,6 +9,16 @@ webserver: hostname: 'localhost' port: 9000 +rates_limit: + login: + # 15 attempts in 5 min + window: 5 minutes + max: 15 + ask_send_email: + # 3 attempts in 5 min + window: 5 minutes + max: 3 + # Proxies to trust to get real client IP # If you run PeerTube just behind a local proxy (nginx), keep 'loopback' # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet) diff --git a/config/production.yaml.example b/config/production.yaml.example index 06baaf7d4..f1f0f12d1 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example @@ -8,6 +8,16 @@ webserver: hostname: 'example.com' port: 443 +rates_limit: + login: + # 15 attempts in 5 min + window: 5 minutes + max: 15 + ask_send_email: + # 3 attempts in 5 min + window: 5 minutes + max: 3 + # Proxies to trust to get real client IP # If you run PeerTube just behind a local proxy (nginx), keep 'loopback' # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet) diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index 223ef8078..622ad7d6b 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts @@ -27,7 +27,8 @@ function checkMissedConfig () { 'services.twitter.username', 'services.twitter.whitelisted', 'followers.instance.enabled', 'followers.instance.manual_approval', 'tracker.enabled', 'tracker.private', 'tracker.reject_too_many_announces', - 'history.videos.max_age', 'views.videos.remote.max_age' + 'history.videos.max_age', 'views.videos.remote.max_age', + 'rates_limit.login.window', 'rates_limit.login.max', 'rates_limit.ask_send_email.window', 'rates_limit.ask_send_email.max' ] const requiredAlternatives = [ [ // set diff --git a/server/initializers/config.ts b/server/initializers/config.ts index baf502305..4f77e144d 100644 --- a/server/initializers/config.ts +++ b/server/initializers/config.ts @@ -63,6 +63,16 @@ const CONFIG = { HOSTNAME: config.get('webserver.hostname'), PORT: config.get('webserver.port') }, + RATES_LIMIT: { + LOGIN: { + WINDOW_MS: parseDurationToMs(config.get('rates_limit.login.window')), + MAX: config.get('rates_limit.login.max') + }, + ASK_SEND_EMAIL: { + WINDOW_MS: parseDurationToMs(config.get('rates_limit.ask_send_email.window')), + MAX: config.get('rates_limit.ask_send_email.max') + } + }, TRUST_PROXY: config.get('trust_proxy'), LOG: { LEVEL: config.get('log.level') diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 2be364cc8..193bae5b5 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts @@ -281,12 +281,12 @@ let CONSTRAINTS_FIELDS = { const RATES_LIMIT = { LOGIN: { - WINDOW_MS: 5 * 60 * 1000, // 5 minutes - MAX: 15 // 15 attempts + WINDOW_MS: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS, + MAX: CONFIG.RATES_LIMIT.LOGIN.MAX }, ASK_SEND_EMAIL: { - WINDOW_MS: 5 * 60 * 1000, // 5 minutes - MAX: 3 // 3 attempts + WINDOW_MS: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS, + MAX: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX } } diff --git a/support/docker/production/config/production.yaml b/support/docker/production/config/production.yaml index d585cd73e..ae6bf3982 100644 --- a/support/docker/production/config/production.yaml +++ b/support/docker/production/config/production.yaml @@ -8,6 +8,16 @@ webserver: hostname: undefined port: 443 +rates_limit: + login: + # 15 attempts in 5 min + window: 5 minutes + max: 15 + ask_send_email: + # 3 attempts in 5 min + window: 5 minutes + max: 3 + # Proxies to trust to get real client IP # If you run PeerTube just behind a local proxy (nginx), keep 'loopback' # If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)