Rate Limiting Custom Requests

Rate limiting requests is an approach that is frequently taken where an outright block would be unsuitable, but equally, a frequent request rate to certain URLs, or by certain user agents may be undesirable. Slowing down users that match your criteria is a great way to ensure availability to all users.

! Rate limiting API requests is native to MageStack - read more

MageStack includes a facility to deliberately slow the rate of custom requests, to ensure a production store remains unaffected by an aggressive connections. The rate limit is applied per IP address, so setting a limit will only restrict request rate from a single location. If you have multiple connections, they will maintain their own independent limit.

Options

Five different rate limits are available,

Rate Limit Flag
1 per second (1 / 1s) one_per_second
12 per minute (1 / 5s) one_per_five_seconds
6 per minute (1 / 10s) one_per_ten_seconds
2 per minute (1 / 30s) one_per_thirty_seconds
1 per minute (1 / 60s) one_per_sixty_seconds

Enabling Custom Rate Limiter

To enable rate limiting of custom requests, you need to define the condition to match and the limit variable in your vhosts configuration,

Edit your ___general/example.com.conf (where example.com is your chosen domain), and add your conditions then restart Nginx via Monit.

set $magestack_custom_limit one_per_thirty_seconds;
limit_req zone=custom_one_per_thirty_seconds;

The flag (one_per_thirty_seconds in the example above), can be changed to any of the available flags. Using an invalid flag will result in the rate limiter being disabled.

Examples

Rate limit AJAX search to 1 request per 10 seconds

location ~* ^/(index\.php/)?catalogsearch/(ajax) {
  set $magestack_custom_limit one_per_ten_seconds;
  limit_req zone=custom_one_per_ten_seconds;
}

Rate limit AJAX search to 1 request per 10 seconds, but whitelist given IPs

location ~* ^/(index\.php/)?catalogsearch/(ajax) {
  set $magestack_custom_limit one_per_ten_seconds;
  if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
    set $magestack_custom_limit "";
  }
  limit_req zone=custom_one_per_ten_seconds;
}

Rate limit AJAX search to 1 request per 10 seconds, but only for specific country codes and whitelist given IPs

location ~* ^/(index\.php/)?catalogsearch/(ajax) {
  set $magestack_custom_limit one_per_ten_seconds;
  if ($geoip_country_code ~* "(aa)") {
    set $magestack_custom_limit one_per_ten_seconds;
  }
  if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
    set $magestack_custom_limit "";
  }
  limit_req zone=custom_one_per_ten_seconds;
}

Rate limit account registration/login

location ~* ^/(index\.php/)?customer/account/(create(post)?|index|login) {
  if ($request_method = "POST") {
    set $magestack_custom_limit one_per_sixty_seconds;
  }
  if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
    set $magestack_custom_limit "";
  }
  limit_req zone=custom_one_per_sixty_seconds;
}