akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

chore: clean .gitignore cache

Browse Source
This commit is contained in:
GitHub Actions
2026-01-26 19:21:33 +00:00
parent 1b1b3a70b1
commit e5f0fec5db
1483 changed files with 0 additions and 472793 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
docs/features/rate-limiting.md
View File

@@ -1,113 +0,0 @@
---
title: Rate Limiting
description: Prevent abuse by limiting requests per user or IP address
---
# Rate Limiting
Prevent abuse by limiting how many requests a user or IP address can make. Stop brute-force attacks, API abuse, and resource exhaustion with simple, configurable limits.
## Overview
Rate limiting controls how frequently clients can make requests to your proxied services. When a client exceeds the configured limit, additional requests receive a `429 Too Many Requests` response until the limit resets.
Key concepts:
- **Requests per Second (RPS)** — Sustained request rate allowed
- **Burst Limit** — Short-term spike allowance above RPS
- **Time Window** — Period over which limits are calculated
- **Per-IP Tracking** — Each client IP has independent limits
## Why Use This
- **Brute-Force Prevention** — Stop password guessing attacks
- **API Protection** — Prevent excessive API consumption
- **Resource Management** — Protect backend services from overload
- **Fair Usage** — Ensure equitable access across all users
- **Cost Control** — Limit expensive operations
## Configuration
### Enabling Rate Limiting
1. Navigate to **Proxy Hosts**
2. Edit or create a proxy host
3. Go to the **Advanced** tab
4. Toggle **Rate Limiting** to enabled
5. Configure your limits
### Parameters
| Parameter | Description | Example |
|-----------|-------------|---------|
| **Requests/Second** | Sustained rate limit | `10` = 10 requests per second |
| **Burst Limit** | Temporary spike allowance | `50` = allow 50 rapid requests |
| **Time Window** | Reset period in seconds | `60` = limits reset every minute |
### Understanding Burst vs Sustained Rate
```text
Sustained Rate: 10 req/sec
Burst Limit: 50
Behavior:
- Client can send 50 requests instantly (burst)
- Then limited to 10 req/sec until burst refills
- Burst tokens refill at the sustained rate
```
This allows legitimate traffic spikes (page loads with many assets) while preventing sustained abuse.
### Recommended Configurations
| Use Case | RPS | Burst | Window |
|----------|-----|-------|--------|
| Public website | 20 | 100 | 60s |
| Login endpoint | 5 | 10 | 60s |
| API endpoint | 30 | 60 | 60s |
| Static assets | 100 | 500 | 60s |
## Dashboard Integration
### Status Badge
When rate limiting is enabled, the proxy host displays a **Rate Limited** badge on:
- Proxy host list view
- Host detail page
### Active Summary Card
The dashboard shows an **Active Rate Limiting** summary card displaying:
- Number of hosts with rate limiting enabled
- Current configuration summary
- Link to manage settings
## Response Headers
Rate-limited responses include helpful headers:
```http
HTTP/1.1 429 Too Many Requests
Retry-After: 5
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1642000000
```
Clients can use these headers to implement backoff strategies.
## Best Practices
- **Start Generous** — Begin with higher limits and tighten based on observed traffic
- **Monitor Logs** — Watch for legitimate users hitting limits
- **Separate Endpoints** — Use different limits for different proxy hosts
- **Combine with WAF** — Rate limiting + WAF provides layered protection
## Related
- [Access Control](./access-control.md) — IP-based access restrictions
- [CrowdSec Integration](./crowdsec.md) — Automatic attacker blocking
- [Proxy Hosts](./proxy-hosts.md) — Configure rate limits per host
- [Back to Features](../features.md)