The Rate Limit Request phase applies rate limiting to requests that have passed through previous phases. This phase controls the request rate from clients. If a client exceeds the allowed request rate for a defined zone, the system stops further processing of that request.
rate_limit.add_zone
: Adds a request to a rate limit zone. This action does not perform any rate limiting checks.rate_limit.check_zone
: Checks if the current request exceeds the rate limit for the defined zone. If the limit is exceeded, it applies the specified action (e.g., block, challenge, log).starts_with(http.request.uri.path, "/api/")
This rule applies to all requests with a URI path starting with "/api/".
The configuration that applies in the action for this rule:
rate_limit.add_zone:
zone: "api_requests"
key:
- type: "ip"
rate_limit.check_zone:
zone: "api_requests"
action:
type: "block"
status_code: 429
This configuration adds the request to the "api_requests" zone, using the client's IP as the key. It then checks if the request exceeds the rate limit for this zone, blocking it with a 429 status code if it does. For more information on these settings, refer to the Rate limiting section in the vconf documentation.
graph TD
A[Incoming Request] --> B[rate_limit.add_zone]
B --> C[rate_limit.check_zone]
C -->|Within limit| D[Continue Processing]
C -->|Limit exceeded| E[Apply Action]
E --> F[Block/Challenge/Log]
The Rate Limit Request phase provides access to the following fields:
Peakhour.IO provides separate phases for rate limiting:
These separate phases allow for:
This multi-phase approach provides flexibility in implementing rate limiting strategies tailored to specific use cases and security requirements.