Rate limiting is a mechanism to manage the flow of incoming traffic to a network. VergeCloud’s Rate Limiting feature enables users to control the number of requests a user can make per specified time period (e.g., per minute, hour, or day). If the request threshold is exceeded, the user's access can be temporarily restricted, enhancing security and optimizing traffic flow. Common uses of rate limiting include:
Rate limiting is widely used to secure websites and APIs. For instance, an online service might apply rate limits to prevent excessive login attempts, thus protecting against brute force attacks. Additionally, public-facing APIs can apply limits to prevent users from overwhelming the system with too many requests, ensuring fair usage and stability.
With VergeCloud's Rate Limiting feature, users can set restrictions on the number of requests from individual IPs to specific routes or to the entire domain over various time periods (seconds, hours, days). Unique policies can be defined for different routes, allowing tailored access control across site resources.
To set up a new rate limit rule, navigate to the VergeCloud dashboard under the CDN section. In the Rate Limits tab, click on Add Rule. Here, you can configure the following fields:
Once all fields are filled in, click Save to apply the rule.
Note: Fields such as Description are optional.
In the Rate Limit module, users can choose how VergeCloud should respond if the request rate for a particular path exceeds the defined limit. Options include blocking further requests or initiating a DDoS challenge. When selecting the DDoS challenge, you can customize the challenge level and its duration.
curl --location --request POST 'https://napi.vergecloud.com/cdn/4.0/domains/example.com/rate-limit/rules' \
--header 'accept: application/json' \
--header 'authorization: API KEY 1 2 3 4' \
--data-raw '{
"is_enabled": true,
"url_pattern": "example.com/**",
"description": "",
"exclude_sources": [],
"rate": 1,
"burst": 4000000,
"block_duration": 0,
"time_duration": 10,
"allowed_methods": [],
"action": "challenge",
"action_details": {
"mode": 1,
"ttl": 120,
"https_only": false
}
}'
The mode parameter has three options: 1 for cookie challenge, 2 for JS challenge, and 3 for captcha challenge. The TTL defines the duration for which the challenge remains valid.
To validate your rate limit configuration:
Assume you have a contact form at www.example.com/api/contact/form
. To prevent DDoS or Brute Force attacks, you can limit access to this endpoint to 20 requests per day. If this threshold is exceeded, the IP will be blocked for 24 hours. This restriction can be applied through the VergeCloud dashboard or API, excluding the GET method and source IP 1.2.3.4
.
curl --location --request POST 'https://napi.vergecloud.com/cdn/4.0/domains/example.com/rate-limit/rules' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <Bearer Token>' \
--data-raw '{
"url_pattern": "example.com/api/contact/form",
"rate": 20,
"time_duration": 86400,
"is_enabled": true,
"description": "Limit contact form",
"exclude_sources": [
"1.2.3.4/32"
],
"burst": 4000000,
"block_duration": 86400,
"allowed_methods": [
"GET"
]
}'
VergeCloud evaluates rate limit rules based on priority, starting with the highest priority rule (priority 1). Once a request matches a rule, lower priority rules are ignored for that request. By adjusting priorities, you can apply more lenient or stringent policies to different routes.
Example: To secure the following paths with different priorities:
Path | Request Count | Time Frame |
---|---|---|
example.com/api/login/** | 5 | 60 seconds |
example.com/api/** | 10 | 60 seconds |
Set the first path with higher priority to ensure specific protection for login attempts, while general traffic to example.com/api/**
remains more accessible.