[GH-ISSUE #144] UnifiedPush: Rate limiting issues with matrix.gateway.unifiedpush.org and up.schildi.chat #121

New issue

Closed

opened 2026-05-07 00:20:13 +02:00 by BreizhHardware · 11 comments

BreizhHardware commented 2026-05-07 00:20:13 +02:00

Owner

Copy link

Originally created by @binwiederhier on GitHub (Feb 14, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/144

On ntfy.sh, I'm seeing the IPs of matrix.gateway.unifiedpush.org and up.schildi.chat being heavily rate limited. We need to find a solution, or otherwise message delivery will keep on being severely impacted.

Originally created by @binwiederhier on GitHub (Feb 14, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/144 On ntfy.sh, I'm seeing the IPs of matrix.gateway.unifiedpush.org and up.schildi.chat being heavily rate limited. We need to find a solution, or otherwise message delivery will keep on being severely impacted.

BreizhHardware 2026-05-07 00:20:13 +02:00

• closed this issue
• added the
  🪲 bug
  unified-push
  server
  labels

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@karmanyaahm commented on GitHub (Feb 14, 2022):

could you add a temporary exception for those two IPs as we work out a solution? perhaps just an if ip!=xyz { apply rate limit }
It's not a proper solution but should solve the problem while we develop a proper solution

Also, thanks for pointing out this issue, has it been happening for long or has it just started now?

<!-- gh-comment-id:1039434168 --> @karmanyaahm commented on GitHub (Feb 14, 2022): could you add a temporary exception for those two IPs as we work out a solution? perhaps just an `if ip!=xyz { apply rate limit }` It's not a proper solution but should solve the problem while we develop a proper solution Also, thanks for pointing out this issue, has it been happening for long or has it just started now?

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@karmanyaahm commented on GitHub (Feb 14, 2022):

To restate the problem here on Github:

They're the default gateways for ntfy.sh (for fluffychat and schildichat respectively) so all users' messages are being forwarded through those two. Having an exception for those two is probably the simplest solution, however, it's unsustainable as more apps are supported. Even ignoring the gateway, a server with a large number of users (like matrix.org) would start seeing similar problems soon.

The best solution imho is per-endpoint rate limiting, but that can be bypassed by creating multiple endpoints. This is a problem that was missed earlier, since topics in ntfy are not the property of authenticated users (like in Gotify/Nextpush) but rather are created on message send.

<!-- gh-comment-id:1039437383 --> @karmanyaahm commented on GitHub (Feb 14, 2022): To restate the problem here on Github: They're the default gateways for [ntfy.sh](http://ntfy.sh/) (for fluffychat and schildichat respectively) so all users' messages are being forwarded through those two. Having an exception for those two is probably the simplest solution, however, it's unsustainable as more apps are supported. Even ignoring the gateway, a server with a large number of users (like [matrix.org](http://matrix.org/)) would start seeing similar problems soon. The best solution imho is per-endpoint rate limiting, but that can be bypassed by creating multiple endpoints. This is a problem that was missed earlier, since topics in ntfy are not the property of authenticated users (like in Gotify/Nextpush) but rather are created on message send.

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 14, 2022):

Also, thanks for pointing out this issue, has it been happening for long or has it just started now?

From the logs it looks like for 2 weeks or so.

could you add a temporary exception for those two IPs as we work out a solution?

I think that's what it'll be. A rate-limits-exclude-ips setting in the config or something like that. It's not all that unsustainable if I only ever have to add an app every couple of weeks. It's not like ntfy is gonna be the new Google soon.

It'd be cool if the gateway could use some sort of credentials, then I could tie the rate limits to the "app" as opposed to the IP address. But that's likely not in the spec.

The best solution imho is per-endpoint rate limiting

As you have stated, that's not sufficient, because people could just create many many topics and circumvent the limits.

<!-- gh-comment-id:1039447541 --> @binwiederhier commented on GitHub (Feb 14, 2022): > Also, thanks for pointing out this issue, has it been happening for long or has it just started now? From the logs it looks like for 2 weeks or so. > could you add a temporary exception for those two IPs as we work out a solution? I think that's what it'll be. A `rate-limits-exclude-ips` setting in the config or something like that. It's not all that unsustainable if I only ever have to add an app every couple of weeks. It's not like ntfy is gonna be the new Google soon. It'd be cool if the gateway could use some sort of credentials, then I could tie the rate limits to the "app" as opposed to the IP address. But that's likely not in the spec. > The best solution imho is per-endpoint rate limiting As you have stated, that's not sufficient, because people could just create many many topics and circumvent the limits.

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@karmanyaahm commented on GitHub (Feb 14, 2022):

gateway could use some sort of credentials, then I could tie the rate limits to the "app"

The endpoint URL is that credential.

One possible way to use that could be to check ratelimit := perEndpoint[endpoint] if (endpoint has been recently subscribed to) else global. This then restricts topics based on the subscription rate limits.

<!-- gh-comment-id:1039506860 --> @karmanyaahm commented on GitHub (Feb 14, 2022): > gateway could use some sort of credentials, then I could tie the rate limits to the "app" The endpoint URL is that credential. One possible way to use that could be to check `ratelimit := perEndpoint[endpoint] if (endpoint has been recently subscribed to) else global`. This then restricts topics based on the subscription rate limits.

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 14, 2022):

The endpoint URL is that credential.

I don't fully follow. Can you elaborate on that?

One possible way to use that could be to check ..

Because endpoints can be freely chosen, I have to maintain a global per-IP limit, because there is no auth.

Rate limiting on a per-endpoint basis can be an additional measure to prevent individual users being abusing in UP-land (e.g. 5 messages per 10s for each topic), but overall this doesn't work even if the volume on the individual endpoints is low.

Example: If you have 6 endpoints, each publishing 1 message every 10 seconds, you've already reached the global rate limit of 1 message per 10s per IP (that's what ntfy.sh is set to; with an initial burst of 60 messages).

<!-- gh-comment-id:1039528360 --> @binwiederhier commented on GitHub (Feb 14, 2022): > The endpoint URL is that credential. I don't fully follow. Can you elaborate on that? > One possible way to use that could be to check .. Because endpoints can be freely chosen, I have to maintain a global per-IP limit, because there is no auth. Rate limiting on a per-endpoint basis can be an additional measure to prevent individual users being abusing in UP-land (e.g. 5 messages per 10s for each topic), but overall this doesn't work even if the volume on the individual endpoints is low. Example: If you have 6 endpoints, each publishing 1 message every 10 seconds, you've already reached the global rate limit of 1 message per 10s per IP (that's what ntfy.sh is set to; with an initial burst of 60 messages).

BreizhHardware commented 2026-05-07 00:20:14 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 14, 2022):

Here's a working implementation that I could put live tonight: https://github.com/binwiederhier/ntfy/pull/145/files

I'll likely also increase the other rate limits a bit, and update the docs accordingly.

<!-- gh-comment-id:1039563709 --> @binwiederhier commented on GitHub (Feb 14, 2022): Here's a working implementation that I could put live tonight: https://github.com/binwiederhier/ntfy/pull/145/files I'll likely also increase the other rate limits a bit, and update the docs accordingly.

BreizhHardware commented 2026-05-07 00:20:15 +02:00

Author

Owner

Copy link

@karmanyaahm commented on GitHub (Feb 15, 2022):

I don't fully follow. Can you elaborate on that?
Because endpoints can be freely chosen, I have to maintain a global per-IP limit, because there is no auth.

I don't know how viable these techniques would be, but these are just my thoughts:
Idea 1
The goal is to simulate a list of "valid" topics. Then, rate limits could be per-endpoint (rather than global) for such topics; these limits could be more liberal than the combined global limit (say, 1msg / 10s, same amount but per-endpoint). non "valid" topics continue to exist and are treated with a simple global limit.

There are various ways to judge topics as "valid". Auth is a simple one, but one that core ntfy lacks (and that's good for usability).
Another method more applicable to ntfy to judge "valid" topics could be based on subscriptions. If >1 user is subscribed to the topic for a while (say, >12h/day), that means the topic is probably not spam. And since the number of subscriptions per IP is limited, that basically shifts the burden of rate limiting from the sender to the subscriber.

However, this means a potential abuser can send a lot more messages with just 1 IP - 30 subs * 1msg / 10sec / sub, rather than just 1msg/10sec.

Idea 2
Process incoming messages with a much higher rate limit (say, 10msg / s / IP), but add rate limits to the subscribers (say, 1msg/sec?), and just drop any messages over the limit from being sent to that subscriber. This will limit overuse/abuse of the server for any practical purpose (since sent messages can't be received), but still allows for potential DOS sending attacks.

Overall
This problem is pretty complicated, but the above two are the simplest things that seems like would work to me within these constraints, without having to add exceptions.

Exceptions (along with user-agent logging, which I'll work on for common-proxies soon) are probably the only simple solution though and unless ntfy+UnifiedPush sees crazy scale, exceptions will be the most practical. I'm sure there are some other advanced ways; I'll do research on how webpush servers handle this.

<!-- gh-comment-id:1039873816 --> @karmanyaahm commented on GitHub (Feb 15, 2022): > I don't fully follow. Can you elaborate on that? > Because endpoints can be freely chosen, I have to maintain a global per-IP limit, because there is no auth. I don't know how viable these techniques would be, but these are just my thoughts: **Idea 1** The goal is to simulate a list of "valid" topics. Then, rate limits could be per-endpoint (rather than global) for such topics; these limits could be more liberal than the combined global limit (say, 1msg / 10s, same amount but per-endpoint). non "valid" topics continue to exist and are treated with a simple global limit. There are various ways to judge topics as "valid". Auth is a simple one, but one that core ntfy lacks (and that's good for usability). Another method more applicable to ntfy to judge "valid" topics could be based on subscriptions. If >1 user is subscribed to the topic for a while (say, >12h/day), that means the topic is probably not spam. And since the number of subscriptions per IP is limited, that basically shifts the burden of rate limiting from the sender to the subscriber. However, this means a potential abuser can send a lot more messages with just 1 IP - 30 subs * 1msg / 10sec / sub, rather than just 1msg/10sec. **Idea 2** Process incoming messages with a much higher rate limit (say, 10msg / s / IP), but add rate limits to the subscribers (say, 1msg/sec?), and just drop any messages over the limit from being sent to that subscriber. This will limit overuse/abuse of the server for any practical purpose (since sent messages can't be received), but still allows for potential DOS sending attacks. **Overall** This problem is pretty complicated, but the above two are the simplest things that seems like would work to me within these constraints, without having to add exceptions. Exceptions (along with user-agent logging, which I'll work on for common-proxies soon) are probably the only simple solution though and unless ntfy+UnifiedPush sees crazy scale, exceptions will be the most practical. I'm sure there are some other advanced ways; I'll do research on how webpush servers handle this.

BreizhHardware commented 2026-05-07 00:20:15 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 16, 2022):

re idea 1:

Auth is a simple one, but one that core ntfy lacks

ntfy has auth now, and I've actually thought about adding configurable limits to users; so this would be in line with the future strategy. The proxies could implement basic auth; though I do not know how much they are "aware" of what they are talking to.

If >1 user is subscribed to the topic for a while (say, >12h/day), that means the topic is probably not spam

That seems like a can of worms to me. I'd really rather not...

re idea 2:

Process incoming messages with a much higher rate limit (say, 10msg / s / IP), but add rate limits to the subscribers (say, 1msg/sec?)

I like your thinking there, but you are right; I'd have to buffer these and store them and that would be impractical. Also, Firebase, for instance or outgoing email is not buffered at all, it's just forwarded to as I get them. So this option is sadly not feasible at all.

---

I think the thing I implemented (exemption based on IP) is alright for now. I'd love it if we could add auth-based exemption or limits instead, but you'll have to answer how feasible that is for the proxies.

I'll close this ticket for now, since the problem is solved, but we can keep discussing here.

<!-- gh-comment-id:1042304098 --> @binwiederhier commented on GitHub (Feb 16, 2022): **re idea 1:** > Auth is a simple one, but one that core ntfy lacks ntfy has auth now, and I've actually thought about adding configurable limits to users; so this would be in line with the future strategy. The proxies could implement basic auth; though I do not know how much they are "aware" of what they are talking to. > If >1 user is subscribed to the topic for a while (say, >12h/day), that means the topic is probably not spam That seems like a can of worms to me. I'd really rather not... **re idea 2:** > Process incoming messages with a much higher rate limit (say, 10msg / s / IP), but add rate limits to the subscribers (say, 1msg/sec?) I like your thinking there, but you are right; I'd have to buffer these and store them and that would be impractical. Also, Firebase, for instance or outgoing email is not buffered at all, it's just forwarded to as I get them. So this option is sadly not feasible at all. --- I think the thing I implemented (exemption based on IP) is alright for now. I'd love it if we could add auth-based exemption or limits instead, but you'll have to answer how feasible that is for the proxies. I'll close this ticket for now, since the problem is solved, but we can keep discussing here.

BreizhHardware commented 2026-05-07 00:20:15 +02:00

Author

Owner

Copy link

@bmarty commented on GitHub (May 7, 2024):

Hello,
It seems that ntfy.sh is rate-limiting request from matrix.org.
From the matrix.org log:

Failed to push data to @userredacted:matrix.org/im.vector.app.android/https://ntfy.sh/upRPREDACTEDWI?up=1: <class 'synapse.http.RequestTimedOutError'> 504: Timeout connecting to remote server

Is there anything we can do to fix this?
Thanks!

<!-- gh-comment-id:2098507527 --> @bmarty commented on GitHub (May 7, 2024): Hello, It seems that ntfy.sh is rate-limiting request from matrix.org. From the matrix.org log: > Failed to push data to @userredacted:matrix.org/im.vector.app.android/https://ntfy.sh/upRPREDACTEDWI?up=1: <class 'synapse.http.RequestTimedOutError'> 504: Timeout connecting to remote server Is there anything we can do to fix this? Thanks!

BreizhHardware commented 2026-05-07 00:20:15 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (May 8, 2024):

@bmarty If you provide hostnames + IP address of the publishers, I am happy to whitelist them.

<!-- gh-comment-id:2099566876 --> @binwiederhier commented on GitHub (May 8, 2024): @bmarty If you provide hostnames + IP address of the publishers, I am happy to whitelist them.

BreizhHardware commented 2026-05-07 00:20:15 +02:00

Author

Owner

Copy link

@bmarty commented on GitHub (May 13, 2024):

Thanks @binwiederhier , here is an official request: https://github.com/binwiederhier/ntfy/issues/1106

<!-- gh-comment-id:2106854937 --> @bmarty commented on GitHub (May 13, 2024): Thanks @binwiederhier , here is an official request: https://github.com/binwiederhier/ntfy/issues/1106

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#121

No description provided.