[B] Update rate limiting to use remote IP instead of request IP

timfrazee · timfrazee · commit 9518c572fa83 · 2026-03-18T13:56:57.000-07:00
Addresses an issue where requests routed through reverse proxies / load balancers were being aggressively throttled due to obscured client IP addresses
diff --git a/api/config/application.rb b/api/config/application.rb
@@ -83,6 +83,7 @@ class Application < Rails::Application
     # Skip views, helpers and assets when generating a new resource.
     config.api_only = true
 
+    config.middleware.use ActionDispatch::RemoteIp
     config.middleware.use Rack::MethodOverride
     config.middleware.use ActionDispatch::Flash
     config.middleware.use ActionDispatch::Cookies
diff --git a/api/config/initializers/rack_attack.rb b/api/config/initializers/rack_attack.rb
@@ -38,7 +38,8 @@
     end
 
     Rack::Attack.throttle throttler.ip_key, **throttler.options do |request|
-      request.ip if request.env["manifold_env.throttled_category"] == throttler.category
+      next unless if request.env["manifold_env.throttled_category"] == throttler.category
+      request.env["action_dispatch.remote_ip"]&.calculate_ip || request.ip
     end
   end
 
@@ -56,13 +57,13 @@
 
   Rack::Attack.blocklisted_responder = lambda do |request|
     # :nocov:
-    [503, {}, ["Internal Server Error\n"]]
+    [429, {}, ["Rate Limit Exceeded\n"]]
     # :nocov:
   end
 
   Rack::Attack.throttled_responder = lambda do |request|
     # :nocov:
-    [503, {}, ["Internal Server Error\n"]]
+    [429, {}, ["Rate Limit Exceeded\n"]]
     # :nocov:
   end
 end
