CF header limitation for auth login endpoint

dockflare/app/__init__.py

@@ -25,6 +25,7 @@ from flask import Flask
 from flask_wtf.csrf import CSRFProtect
 from flask_login import LoginManager
 from authlib.integrations.flask_client import OAuth
+from flask import request as flask_request
 from flask_limiter import Limiter
 from flask_limiter.util import get_remote_address
 
@@ -44,8 +45,14 @@ log_formatter = logging.Formatter('%(asctime)s [%(levelname)s] %(message)s', dat
 
 oauth = None
 
+def _get_real_ip():
+    return (
+        flask_request.headers.get('CF-Connecting-IP') or
+        get_remote_address()
+    )
+
 limiter = Limiter(
-    key_func=get_remote_address,
+    key_func=_get_real_ip,
     default_limits=[],
     storage_uri=os.environ.get('REDIS_URL', 'memory://')
 )

webmail/docker-entrypoint.sh

@@ -21,6 +21,7 @@ server {
         proxy_set_header Host \$http_host;
         proxy_set_header X-Real-IP \$remote_addr;
         proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header CF-Connecting-IP \$http_cf_connecting_ip;
     }
 
     location = /config.json {