sleepy/forgejo
1
0
Fork
You've already forked forgejo
 0
Code Issues 562 Pull requests Projects Releases Packages Wiki Activity Actions 3

problem: no traffic policing that keeps Forgejo available #12388

New issue
Open
opened 2026-05-03 01:51:22 +02:00 by Gusted · 0 comments
Gusted commented 2026-05-03 01:51:22 +02:00 (Migrated from codeberg.org)
Copy link

Does your problem still exist on the latest Forgejo version?

Yes, the problem still exists (tested locally with the latest development version)

About your usage of Forgejo

Contributor of Forgejo
Member of the Forgejo security team.
Self-hosts Forgejo.
Co-Maintainer of Codeberg.org's Forgejo instance.

Problem description

This is issue was created as part of https://floss.social/@forgejo/116494296646568723.

If you put a Forgejo instance on the internet, there's no rate limiting, no max connections, no max timeout of a request. Even if you put it behind reverse proxy, it typically requires configuration to set such policies.

Forgejo should have some basic and simple traffic policies that can keep Forgejo available against most simple attacks that can DoS Forgejo.

Rate limiting could for example have a base that applies to all request, then you have git endpoints (blame, compare, viewing files, viewing pull request files), authentication (login, registration), archive (forgejo/forgejo#7011).

Max connections and timeout requires some work with the net/http library to make that possible and efficient.

Large instances, such as Codeberg, likely will not benefit from this due to their unique uses cases. Rate limiting with complex matching conditions, flexible timeouts. These protections are more in-scope for a proper reverse proxy that sits in front of Forgejo.

Potential workarounds

  • Documentation of rate limiting and overload protection for popular reverse proxies.
  • Simple rate limiter within Forgejo, is possible I've a patch.
  • Implement a server-side max timeout for each request, although likely better at reverse proxy level.

Forgejo Version

N/A

Other details about your environment (software names and versions)

N/A

Solutions

Accepted solutions to address this problem will go here

### Does your problem still exist on the latest Forgejo version? Yes, the problem still exists (tested locally with the latest development version) ### About your usage of Forgejo Contributor of Forgejo Member of the Forgejo security team. Self-hosts Forgejo. Co-Maintainer of Codeberg.org's Forgejo instance. ### Problem description This is issue was created as part of https://floss.social/@forgejo/116494296646568723. --- If you put a Forgejo instance on the internet, there's no rate limiting, no max connections, no max timeout of a request. Even if you put it behind reverse proxy, it typically requires configuration to set such policies. Forgejo should have some basic and simple traffic policies that can keep Forgejo available against most simple attacks that can DoS Forgejo. Rate limiting could for example have a base that applies to all request, then you have git endpoints (blame, compare, viewing files, viewing pull request files), authentication (login, registration), archive (forgejo/forgejo#7011). Max connections and timeout requires some work with the `net/http` library to make that possible and efficient. Large instances, such as Codeberg, likely will not benefit from this due to their unique uses cases. Rate limiting with complex matching conditions, flexible timeouts. These protections are more in-scope for a proper reverse proxy that sits in front of Forgejo. ### Potential workarounds - Documentation of rate limiting and overload protection for popular reverse proxies. - Simple rate limiter within Forgejo, is possible I've a patch. - Implement a server-side max timeout for each request, although likely better at reverse proxy level. ### Forgejo Version N/A ### Other details about your environment (software names and versions) N/A ### Solutions *Accepted solutions to address this problem will go here*
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
forgejo
bp-v15.0/forgejo-49f9cc7
v15.0/forgejo
v11.0/forgejo
renovate/forgejo-postcss
renovate/forgejo-github.com-fsnotify-fsnotify-1.x
renovate/forgejo-github.com-alecthomas-chroma-v2-2.x
renovate/forgejo-github.com-go-webauthn-webauthn-0.x
v14.0/forgejo
bp-v15.0/forgejo-2176403
bp-v14.0/forgejo-9767ceb
bp-v14.0/forgejo-d996dfb
v13.0/forgejo
bp-v13.0/forgejo-dc0a63e
bp-v13.0/forgejo-e7ef2eb
v12.0/forgejo
bp-v12.0/forgejo-cf1fda8-a511e37
bp-v11.0/forgejo-b52cec7
v7.0/forgejo
v10.0/forgejo
v9.0/forgejo
v8.0/forgejo
v1.21/forgejo
v1.20/forgejo
v1.19/forgejo
v1.18/forgejo
v1.17/forgejo
v14.0.5
v15.0.1
v11.0.13
v15.0.0
v14.0.4
v11.0.12
v16.0.0-dev
v14.0.3
v11.0.11
v14.0.2
v14.0.1
v13.0.5
v11.0.10
v14.0.0
v13.0.4
v11.0.9
v15.0.0-dev
v13.0.3
v11.0.8
v11.0.7
v13.0.2
v13.0.1
v13.0.0
v14.0.0-dev
v11.0.6
v12.0.4
v12.0.3
v11.0.5
v11.0.4
v12.0.2
v12.0.1
v12.0.0
v7.0.16
v11.0.3
v13.0.0-dev
v11.0.2
v7.0.15
v11.0.1
v11.0.0
v12.0.0-dev
v10.0.3
v10.0.2
v7.0.14
v7.0.13
v10.0.1
v10.0.0
v11.0.0-dev
v9.0.3
v7.0.12
v7.0.11
v9.0.2
v9.0.1
v7.0.10
v9.0.0
v10.0.0-dev
v8.0.3
v7.0.9
v8.0.2
v7.0.8
v8.0.1
v7.0.7
v7.0.6
v8.0.0
v9.0.0-dev
v7.0.5
v1.21.11-2
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v1.21.11-1
v1.21.11-0
v1.21.10-0
v8.0.0-dev
v1.21.8-0
v1.21.7-0
v1.21.6-0
v1.21.5-0
v1.21.4-0
v1.21.3-0
v1.20.6-1
v1.21.2-1
v1.21.2-0
v1.21.1-0
v1.20.6-0
v1.20.5-1
v1.21.0-rc2
v1.21.0-rc1
v1.20.5-0
v7.0.0-dev
v1.21.0-rc0
v1.20.4-1
v1.20.4-0
v1.20.3-0
v1.20.2-0
v1.20.1-0
v1.20.0
v1.19.4-0
v1.21.0-dev
v1.20.0-rc2
v1.19.3-0
v1.19.2-0
v1.19.1-0
v1.19.0-3
v1.19.0-2
v1.18.5-0
v1.20.0-dev
v1.19.0-rc0
v1.18.3-2
v1.18.3-1
v1.18.3-0
v1.18.2-1
v1.18.2-0
v1.18.1-0
v1.18.0-1
v1.18.0-0
v1.18.0-rc1-2
v1.18.0-rc1-1
v1.18.0-rc1
v1.18.0-rc0
v1.19.0-dev
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
sleepy/forgejo#12388
No description provided.