Docs
Configuration
Automated Moderation

Automated Moderation System (optional)

The Automated Moderation System uses a scoring mechanism to track user violations. As users commit actions like excessive logins, registrations, or messaging, they accumulate violation scores. Upon reaching a set threshold, the user and their IP are temporarily banned. This system ensures platform security by monitoring and penalizing rapid or suspicious activities.

In production, you should have Cloudflare or some other DDoS protection in place to really protect the server from excessive requests, but these changes will largely protect you from the single or several bad actors targeting your deployed instance for proxying.

For further details, refer to the user guide provided here: Automated Moderation

Setup

The following are all of the related env variables to make use of and configure the mod system. Note this is also found in the /.env.example file, to be set in your own .env file.

Note: currently, most of these values are configured through the .env file, but they may soon migrate to be exclusively configured from the librechat.yaml config file.

Violation, Interval, Duration

KeyTypeDescriptionExample
BAN_VIOLATIONSbooleanWhether or not to enable banning users for violations (they will still be logged).BAN_VIOLATIONS=true
BAN_DURATIONintegerHow long the user and associated IP are banned for (in milliseconds).BAN_DURATION=1000 * 60 * 60 * 2
BAN_INTERVALintegerThe user will be banned every time their score reaches/crosses over the interval threshold.BAN_INTERVAL=20

The score for each violation

KeyTypeDescriptionExample
LOGIN_VIOLATION_SCOREintegerScore for login violations.LOGIN_VIOLATION_SCORE=1
REGISTRATION_VIOLATION_SCOREintegerScore for registration violations.REGISTRATION_VIOLATION_SCORE=1
CONCURRENT_VIOLATION_SCOREintegerScore for concurrent violations.CONCURRENT_VIOLATION_SCORE=1
MESSAGE_VIOLATION_SCOREintegerScore for message violations.MESSAGE_VIOLATION_SCORE=1
NON_BROWSER_VIOLATION_SCOREintegerScore for non-browser violations.NON_BROWSER_VIOLATION_SCORE=20

Login and registration rate limiting.

KeyTypeDescriptionExample
LOGIN_MAXnumberThe max amount of logins allowed per IP per LOGIN_WINDOW. Defaults to `7`.
LOGIN_WINDOWnumberIn minutes, determines the window of time for LOGIN_MAX logins. Defaults to `5`.
REGISTER_MAXnumberThe max amount of registrations allowed per IP per REGISTER_WINDOW. Defaults to `5`.
REGISTER_WINDOWnumberIn minutes, determines the window of time for REGISTER_MAX registrations. Defaults to `60`.

Message rate limiting

KeyTypeDescriptionExample
LIMIT_CONCURRENT_MESSAGESbooleanWhether to limit the amount of messages a user can send per request.LIMIT_CONCURRENT_MESSAGES=true
CONCURRENT_MESSAGE_MAXintegerThe max amount of messages a user can send per request.CONCURRENT_MESSAGE_MAX=2

Note: You can utilize both limiters, but default is to limit by IP only.

Message rate limiting (per IP)

KeyTypeDescriptionExample
LIMIT_MESSAGE_IPbooleanWhether to limit the amount of messages an IP can send per `MESSAGE_IP_WINDOW`.LIMIT_MESSAGE_IP=true
MESSAGE_IP_MAXintegerThe max amount of messages an IP can send per `MESSAGE_IP_WINDOW`.MESSAGE_IP_MAX=40
MESSAGE_IP_WINDOWintegerIn minutes, determines the window of time for `MESSAGE_IP_MAX` messages.MESSAGE_IP_WINDOW=1

Message rate limiting (per User)

KeyTypeDescriptionExample
LIMIT_MESSAGE_USERbooleanWhether to limit the amount of messages an user can send per `MESSAGE_USER_WINDOW`.LIMIT_MESSAGE_USER=false
MESSAGE_USER_MAXintegerThe max amount of messages an user can send per `MESSAGE_USER_WINDOW`.MESSAGE_USER_MAX=40
MESSAGE_USER_WINDOWintegerIn minutes, determines the window of time for `MESSAGE_USER_MAX` messages.MESSAGE_USER_WINDOW=1

Illegal model requests

Note: Illegal model requests are almost always nefarious as it means a 3rd party is attempting to access the server through an automated script. For this, I recommend a relatively high score, no less than 5.

KeyTypeDescriptionExample
ILLEGAL_MODEL_REQ_SCOREintegerScore for illegal model requests.ILLEGAL_MODEL_REQ_SCORE=5

OpenAI text moderation

KeyTypeDescriptionExample
OPENAI_MODERATIONbooleanWhether or not to enable OpenAI moderation on the **OpenAI** and **Plugins** endpoints.OPENAI_MODERATION=false
OPENAI_MODERATION_API_KEYstringYour OpenAI API key.OPENAI_MODERATION_API_KEY=

Note that this might not work with all reverse proxies:

KeyTypeDescriptionExample
OPENAI_MODERATION_REVERSE_PROXYstringNote: Commented out by default, this is not working with all reverse proxys.# OPENAI_MODERATION_REVERSE_PROXY=