mirror of https://github.com/zulip/zulip.git
49ad188449
TOR users are legitimate users of the system; however, that system can also be used for abuse -- specifically, by evading IP-based rate-limiting. For the purposes of IP-based rate-limiting, add a RATE_LIMIT_TOR_TOGETHER flag, defaulting to false, which lumps all requests from TOR exit nodes into the same bucket. This may allow a TOR user to deny other TOR users access to the find-my-account and new-realm endpoints, but this is a low cost for cutting off a significant potential abuse vector. If enabled, the list of TOR exit nodes is fetched from their public endpoint once per hour, via a cron job, and cached on disk. Django processes load this data from disk, and cache it in memcached. Requests are spared from the burden of checking disk on failure via a circuitbreaker, which trips of there are two failures in a row, and only begins trying again after 10 minutes. |
||
|---|---|---|
| .. | ||
| jinja2 | ||
| __init__.py | ||
| backends.py | ||
| computed_settings.py | ||
| config.py | ||
| configured_settings.py | ||
| default_settings.py | ||
| dev_settings.py | ||
| dev_urls.py | ||
| email_backends.py | ||
| legacy_urls.py | ||
| prod_settings.pyi | ||
| prod_settings_template.py | ||
| sentry.py | ||
| settings.py | ||
| terms.md.template | ||
| test_extra_settings.py | ||
| test_settings.py | ||
| urls.py | ||
| wsgi.py | ||