Rate Limiting Requests
Table of Contents
- Options
- Enabling Custom Rate Limiter
- Examples
- Rate limit AJAX search to 1 request per 10 seconds
- Rate limit AJAX search to 1 request per 10 seconds, but whitelist given IPs
- Rate limit AJAX search to 1 request per 10 seconds, but only for specific country codes and whitelist given IPs
- Rate limit account registration/login
Rate limiting requests is an approach that is frequently taken where an outright block would be unsuitable, but equally, a frequent request rate to certain URLs, or by certain user agents may be undesirable. Slowing down users that match your criteria is a great way to ensure availability to all users.
! Rate limiting API requests is native to MageStack - read more
MageStack includes a facility to deliberately slow the rate of custom requests, to ensure a production store remains unaffected by an aggressive connections. The rate limit is applied per IP address, so setting a limit will only restrict request rate from a single location. If you have multiple connections, they will maintain their own independent limit.
Options
Five different rate limits are available,
Rate Limit | Flag |
---|---|
1 per second (1 / 1s) | one_per_second |
12 per minute (1 / 5s) | one_per_five_seconds |
6 per minute (1 / 10s) | one_per_ten_seconds |
2 per minute (1 / 30s) | one_per_thirty_seconds |
1 per minute (1 / 60s) | one_per_sixty_seconds |
Enabling Custom Rate Limiter
To enable rate limiting of custom requests, you need to define the condition to match and the limit variable in your vhosts configuration,
Edit your ___general/example.com.conf
(where example.com is your chosen domain), and add your conditions then restart Nginx via Monit.
set $magestack_custom_limit one_per_thirty_seconds;
limit_req zone=custom_one_per_thirty_seconds;
The flag (one_per_thirty_seconds
in the example above), can be changed to any of the available flags. Using an invalid flag will result in the rate limiter being disabled.
Examples
Rate limit AJAX search to 1 request per 10 seconds
location ~* ^/(index\.php/)?catalogsearch/(ajax) {
set $magestack_custom_limit one_per_ten_seconds;
limit_req zone=custom_one_per_ten_seconds;
}
Rate limit AJAX search to 1 request per 10 seconds, but whitelist given IPs
location ~* ^/(index\.php/)?catalogsearch/(ajax) {
set $magestack_custom_limit one_per_ten_seconds;
if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
set $magestack_custom_limit "";
}
limit_req zone=custom_one_per_ten_seconds;
}
Rate limit AJAX search to 1 request per 10 seconds, but only for specific country codes and whitelist given IPs
location ~* ^/(index\.php/)?catalogsearch/(ajax) {
set $magestack_custom_limit one_per_ten_seconds;
if ($geoip_country_code ~* "(aa)") {
set $magestack_custom_limit one_per_ten_seconds;
}
if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
set $magestack_custom_limit "";
}
limit_req zone=custom_one_per_ten_seconds;
}
Rate limit account registration/login
location ~* ^/(index\.php/)?customer/account/(create(post)?|index|login) {
if ($request_method = "POST") {
set $magestack_custom_limit one_per_sixty_seconds;
}
if ($remote_addr ~ "(my.ip.addr.ess|my.ip.addr.ess)") {
set $magestack_custom_limit "";
}
limit_req zone=custom_one_per_sixty_seconds;
}