limiter_whitelisting: add tests, update doc

searx/plugins/limiter.py

@@ -5,12 +5,20 @@
 
 To monitor rate limits and protect privacy the IP addresses are getting stored
 with a hash so the limiter plugin knows who to block.  A redis database is
-needed to store the hash values.
+needed to store the hash values. 
+
+It is also possible to bypass the limiter for a specific IP address or subnet 
+using the `whitelist_ip` and `whitelist_subnet` settings.
 
 Enable the plugin in ``settings.yml``:
 
 - ``server.limiter: true``
+- ``server.limiter.whitelist_ip: ['127.0.0.1']``
+- ``server.limiter_whitelist_subnet: ['192.168.0.0/24']``
 - ``redis.url: ...`` check the value, see :ref:`settings redis`
+
+
+
 """
 
 import ipaddress
@@ -41,14 +49,24 @@ WHITELISTED_IPS = get_setting('server.limiter_whitelist_ip', default=[])
 WHITELISTED_SUBNET = get_setting('server.limiter_whitelist_subnet', default=[])
 
 
-def is_whitelist_ip(ip):
+def is_whitelist_ip(ip: str) -> bool:
     '''
     Check if the given IP address belongs to the whitelisted list
     of IP addresses or subnets.
     '''
-    return ip in WHITELISTED_IPS or any(ipaddress.ip_address(ip) in
-                                        ipaddress.ip_network(subnet)
-                                        for subnet in WHITELISTED_SUBNET)
+    # if ip is empty use the source ip
+    if ip == '':
+        ip = request.remote_addr
+    logger.debug("checking whitelist rules for: %s", ip)
+    whitelisted = False
+    try:
+        whitelisted = ip in WHITELISTED_IPS or any(
+            ipaddress.ip_address(ip) in ipaddress.ip_network(subnet) for subnet in WHITELISTED_SUBNET
+        )
+    except ValueError as e:
+        logger.error("Error while checking ratelimiter whitelist: %s", e)
+
+    return whitelisted
 
 
 def is_accepted_request() -> bool:

searx/settings.yml

@@ -72,6 +72,11 @@ server:
   base_url: false  # Possible values: false or "https://example.org/location".
   limiter: false  # rate limit the number of request on the instance, block some bots
 
+  ## If you enabled the rate limiter you can add ips or subnet exceptions,
+  ## uncomment any of the lines below to add you exceptions
+  # limiter_whitelist_ip: ['127.0.0.1'] # disables the rate limiter for localhost
+  # limiter_whitelist_subnet: ['192.168.0.0/24'] # disable the rate limiter for an example home subnet
+
   # If your instance owns a /etc/searxng/settings.yml file, then set the following
   # values there.
 

searx/settings_defaults.py

@@ -174,6 +174,8 @@ SCHEMA = {
         'port': SettingsValue((int, str), 8888, 'SEARXNG_PORT'),
         'bind_address': SettingsValue(str, '127.0.0.1', 'SEARXNG_BIND_ADDRESS'),
         'limiter': SettingsValue(bool, False),
+        'limiter_whitelist_ip': SettingsValue(list, []),
+        'limiter_whitelist_subnet': SettingsValue(list, []),
         'secret_key': SettingsValue(str, environ_name='SEARXNG_SECRET'),
         'base_url': SettingsValue((False, str), False, 'SEARXNG_BASE_URL'),
         'image_proxy': SettingsValue(bool, False),