Clarification on LOGIN_RATELIMIT and X-Real-IP behavior

[jr0w3]

Hi,

I understand that Vaultwarden supports the X-Real-IP header to identify the real client IP address when behind a proxy. However, could you confirm whether the rate-limiting settings (LOGIN_RATELIMIT_SECONDS and LOGIN_RATELIMIT_MAX_BURST) are applied based on the IP address provided in X-Real-IP, and not the proxy's IP address?

In other words, if multiple login requests come from the same real client IP (as indicated in X-Real-IP), does Vaultwarden use this IP address to enforce the rate-limiting thresholds, rather than the proxy's IP?

Unfortunately, I don’t have the experience to read and analyze the project’s code myself to verify this behavior. Thank you in advance for your assistance and clarification!

Best regards,

[BlackDex]

It would be illogical to use something else. If we would only block the IP if the reverse proxy it self, then nobody can login anymore which would cause a DoS. This of course can't still happen where Vaultwarden is used in large companies which are behind just one IP, or a Filtering/Security Proxy which use one outgoing IP.

[jr0w3]

Thank you very much for your quick response and clarification.