Automated Moderation System (optional)
The Automated Moderation System uses a scoring mechanism to track user violations. As users commit actions like excessive logins, registrations, or messaging, they accumulate violation scores. Upon reaching a set threshold, the user and their IP are temporarily banned. This system ensures platform security by monitoring and penalizing rapid or suspicious activities.
In production, you should have Cloudflare or some other DDoS protection in place to really protect the server from excessive requests, but these changes will largely protect you from the single or several bad actors targeting your deployed instance for proxying.
For further details, refer to the user guide provided here: Automated Moderation
Setup
The following are all of the related env variables to make use of and configure the mod system. Note this is also found in the /.env.example file, to be set in your own .env
file.
Note: currently, most of these values are configured through the .env file, but they may soon migrate to be exclusively configured from the librechat.yaml
config file.
Violation, Interval, Duration
Key | Type | Description | Example |
---|---|---|---|
BAN_VIOLATIONS | boolean | Whether or not to enable banning users for violations (they will still be logged). | BAN_VIOLATIONS=true |
BAN_DURATION | integer | How long the user and associated IP are banned for (in milliseconds). | BAN_DURATION=1000 * 60 * 60 * 2 |
BAN_INTERVAL | integer | The user will be banned every time their score reaches/crosses over the interval threshold. | BAN_INTERVAL=20 |
The score for each violation
Key | Type | Description | Example |
---|---|---|---|
LOGIN_VIOLATION_SCORE | integer | Score for login violations. | LOGIN_VIOLATION_SCORE=1 |
REGISTRATION_VIOLATION_SCORE | integer | Score for registration violations. | REGISTRATION_VIOLATION_SCORE=1 |
CONCURRENT_VIOLATION_SCORE | integer | Score for concurrent violations. | CONCURRENT_VIOLATION_SCORE=1 |
MESSAGE_VIOLATION_SCORE | integer | Score for message violations. | MESSAGE_VIOLATION_SCORE=1 |
NON_BROWSER_VIOLATION_SCORE | integer | Score for non-browser violations. | NON_BROWSER_VIOLATION_SCORE=20 |
Login and registration rate limiting.
Key | Type | Description | Example |
---|---|---|---|
LOGIN_MAX | number | The max amount of logins allowed per IP per LOGIN_WINDOW. Defaults to `7`. | |
LOGIN_WINDOW | number | In minutes, determines the window of time for LOGIN_MAX logins. Defaults to `5`. | |
REGISTER_MAX | number | The max amount of registrations allowed per IP per REGISTER_WINDOW. Defaults to `5`. | |
REGISTER_WINDOW | number | In minutes, determines the window of time for REGISTER_MAX registrations. Defaults to `60`. |
Message rate limiting
Key | Type | Description | Example |
---|---|---|---|
LIMIT_CONCURRENT_MESSAGES | boolean | Whether to limit the amount of messages a user can send per request. | LIMIT_CONCURRENT_MESSAGES=true |
CONCURRENT_MESSAGE_MAX | integer | The max amount of messages a user can send per request. | CONCURRENT_MESSAGE_MAX=2 |
Note: You can utilize both limiters, but default is to limit by IP only.
Message rate limiting (per IP)
Key | Type | Description | Example |
---|---|---|---|
LIMIT_MESSAGE_IP | boolean | Whether to limit the amount of messages an IP can send per `MESSAGE_IP_WINDOW`. | LIMIT_MESSAGE_IP=true |
MESSAGE_IP_MAX | integer | The max amount of messages an IP can send per `MESSAGE_IP_WINDOW`. | MESSAGE_IP_MAX=40 |
MESSAGE_IP_WINDOW | integer | In minutes, determines the window of time for `MESSAGE_IP_MAX` messages. | MESSAGE_IP_WINDOW=1 |
Message rate limiting (per User)
Key | Type | Description | Example |
---|---|---|---|
LIMIT_MESSAGE_USER | boolean | Whether to limit the amount of messages an user can send per `MESSAGE_USER_WINDOW`. | LIMIT_MESSAGE_USER=false |
MESSAGE_USER_MAX | integer | The max amount of messages an user can send per `MESSAGE_USER_WINDOW`. | MESSAGE_USER_MAX=40 |
MESSAGE_USER_WINDOW | integer | In minutes, determines the window of time for `MESSAGE_USER_MAX` messages. | MESSAGE_USER_WINDOW=1 |
Illegal model requests
Note: Illegal model requests are almost always nefarious as it means a 3rd party is attempting to access the server through an automated script. For this, I recommend a relatively high score, no less than 5.
Key | Type | Description | Example |
---|---|---|---|
ILLEGAL_MODEL_REQ_SCORE | integer | Score for illegal model requests. | ILLEGAL_MODEL_REQ_SCORE=5 |
OpenAI text moderation
Key | Type | Description | Example |
---|---|---|---|
OPENAI_MODERATION | boolean | Whether or not to enable OpenAI moderation on the **OpenAI** and **Plugins** endpoints. | OPENAI_MODERATION=false |
OPENAI_MODERATION_API_KEY | string | Your OpenAI API key. | OPENAI_MODERATION_API_KEY= |
Note that this might not work with all reverse proxies:
Key | Type | Description | Example |
---|---|---|---|
OPENAI_MODERATION_REVERSE_PROXY | string | Note: Commented out by default, this is not working with all reverse proxys. | # OPENAI_MODERATION_REVERSE_PROXY= |