Skip to content
A rate limit plugin for caddy
Go Makefile Dockerfile HTML
Branch: master
Clone or download
xuqingfeng Merge pull request #42 from xuqingfeng/issue-38
Lock map before check key exists
Latest commit 25f4055 Sep 2, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github
build
test_site
.dockerignore
.gitignore
.travis.yml
Caddyfile
Dockerfile
LICENSE
Makefile
README.md
caddylimiter.go
caddylimiter_test.go Support limit by request header instead of ip Mar 17, 2019
config.json
main_test.go
ratelimit.go
setup.go
setup_test.go
util.go
util_test.go

README.md

caddy-rate-limit

a rate limit plugin for caddy

Travis CI Go Report Card GoDoc

Syntax

Excessive requests will be terminated with an error 429 (Too Many Requests)! And X-RateLimit-RetryAfter header will be returned.

For single resource:

ratelimit methods path rate burst unit
  • methods are the request methods it will match (comma separately)

  • path is the file or directory to apply rate limit

  • rate is the limited request in every time unit (r/s, r/m, r/h, r/d, r/w) (e.g. 1)

  • burst is the maximum burst size client can exceed; burst >= rate (e.g. 2)

  • unit is the time interval (currently support: second, minute, hour, day, week)

For multiple resources:

ratelimit methods rate burst unit {
    whitelist CIDR,CIDR
    limit_by_header xxx
    status xxx,xxx
    resources
}
  • whitelist is the keyword for whitelist your trusted ips (comma separately). CIDR is the IP range you don't want to perform rate limit. whitelist is a general rule, it won't target for specific resource.
  • limit_by_header is the keyword for matching the request header. Like whitelist, it's also a general rule. Note: normally you shouldn't apply this rule unless the default limit by ip is not what you want and you want to limit by request header(e.g. Authorization).
  • status is the keyword for matching the response status code (comma separately). If this rule is triggered, all subsequent requests from that client will be blocked regardless of which status code is returned or which resource is requested. Note: this won't block resources not defined in ratelimit's config.
  • resources is a list of files/directories to apply rate limit, one per line

Note: If you don't want to apply rate limit on some special resources, add ^ in front of the path.

Examples

Limit clients to 2 requests per second (bursts of 3) to any methods and any resources under /r:

ratelimit * /r 2 3 second

Don't perform rate limit if requests come from 1.2.3.4 or 192.168.1.0/30(192.168.1.0 ~ 192.168.1.3), for the listed paths, limit clients to 2 requests per minute (bursts of 2) if the request method is GET or POST and always ignore /dist/app.js:

ratelimit get,post 2 2 minute {
    whitelist 1.2.3.4/32,192.168.1.0/30
    status *
    /foo.html
    /api
    ^/dist/app.js
}

Download

curl https://getcaddy.com | bash -s personal http.ratelimit

Docker

docker run -d -p 2016:2016 -v `pwd`/Caddyfile:/Caddyfile -v `pwd`/test_site:/test_site --name ratelimit xuqingfeng/caddy-rate-limit

Inspired by

http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

https://github.com/didip/tollbooth

You can’t perform that action at this time.