Rate Limit Request Late Phase

The Rate Limit Request Late phase occurs after the WAF phase and allows rate limiting based on WAF results.

Available Actions

• rate_limit.add_zone: Adds a rate limit zone to the current request.
• rate_limit.check_zone: Checks if the current request is within the rate limit for the defined zone.

Fields

The Rate Limit Request Late phase provides access to the following fields:

• Standard Request Fields
• GeoIP Fields
• User Agent Fields
• Bot Fields
• Fingerprint ML Fields
• WAF Fields

Example

The filter matches requests where the WAF has detected an exposed password:

peakhour.waf.exposed_password

The configuration adds the request to the "exposed_password" zone and checks if it exceeds the rate limit:

rate_limit.add_zone:
  zone: "exposed_password"
  key:
    - type: "ip"
rate_limit.check_zone:
  zone: "exposed_password"
  action:
    type: "challenge"
    status_code: 403

This configuration uses the client's IP as the key and presents a challenge with a 403 status code if the request exceeds the rate limit. For more information on these settings, refer to the Rate limiting section in the vconf documentation.

Use Cases

1. Implement stricter rate limits for requests that trigger WAF rules
2. Apply rate limiting to specific types of attacks detected by the WAF
3. Combine WAF results with other request properties for more granular rate limiting
4. Implement progressive rate limiting based on the severity of WAF detections