Ghost self hosting in a container cannot enforce spam rate limit

Hi,

This is my first time when I am trying to spin up ghost docker image and I have been successful in that too.

My ghost service in docker-compose looks like this -

ghost:
    image: ghost:latest
    restart: always
    ports:
      - 8040:2368
    environment:
      # see https://ghost.org/docs/config/#configuration-options
      database__client: mysql
      database__connection__host: db
      database__connection__user: "root"
      database__connection__password: "Passw0rd"
      database__connection__database: "ghostdb"
      spam__global_block__lifetime: 1
      url: http://localhost:8040
      NODE_ENV: development
      # mail__from: mail@cooldomains.com 
      # mail__transport: SMTP
      # mail__options__host: email-smtp.us
      # mail__options__port: 465
      # mail__options__auth__user: "U5s4rName"
      # mail__options__auth__pass: "L0ngPa55w0rd"
      # mail__options__secure_connection: true

    volumes:
      - ../ghost/content:/var/lib/ghost/content
      - type: bind
        source: ../ghost/config.development.json
        target: /var/lib/ghost/config.development.json
      - type: bind
        source: ../ghost/config.production.json
        target: /var/lib/ghost/config.production.json

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: Passw0rd
    volumes:
      - db:/var/lib/mysql

While there’s has been no problem in getting the service up and articles published, I cannot really enfore the per IP rate limit. I tried to set it something low to be able to verify - like 1 in above case, I could’nt see any different. After multiple refreshes and clicking on different articles, I am still not thrown any error. I read somewhere that in newer ghost versions, we have configurations set through environment variables. and for nested settings, we space them via double underscore. I changed the config.development.json too, like below -

"spam": { "global_block": { "lifetime": 1, "freeRetries": 1 }, "user_login": { "freeRetries": 1 } }
but that didnt help either. I checked after logging in the container that variable is properly set, but I still cant see it working. Any help appreciated.

EDIT:

I am not sure which variable among the below enforced restriction, but I can see /api/content/newsletter to be failing with 429 error.

spam__global_block__lifetime: 1
spam__global_block__freeRetries: 1
spam__content_api_key__lifetime: 1
spam__content_api_key__freeRetries: 1

But I can still see pages loading and working fine. It is also fetching each articles. I don’t actually want that. I would want the page to fail with too many requests. Is it some other setting that I am missing?

I’m pretty sure those rate limits are about sign-ups, not page access. :)

Hi @Cathy_Sarisky , first of all, really appreciate your response. If it is not too much work, could you please help me find the setting I need to set to limit the page access limit per IP? My ghost endpoints are public exposed so I want atleast some kind of control. Thanks so much!

Ghost doesn’t support limit the page access per IP.
You can use Cloudflare to impose rate limit, but it can’t impose rate limit per IP, I wrote an article about this: :point_right:how-to-secure-your-ghost-blog.

If you use Nginx as the reverse proxy, you may utilize Nginx to impose limit per IP :point_right:Rate Limiting with NGINX

1 Like

A reminder: Try to update ASAP to mysql 8, all other versions are unsupported ;)

1 Like

Sorry for late reply. I didnt get email notification somehow. Sure, I will go through the links that you have provided. Appreciate your help.

Thanks for the heads up. I will update asap :slight_smile: .

1 Like