Charon/docs/features/rate-limiting.md

title, description

title	description
Rate Limiting	Prevent abuse by limiting requests per user or IP address

Rate Limiting

Prevent abuse by limiting how many requests a user or IP address can make. Stop brute-force attacks, API abuse, and resource exhaustion with simple, configurable limits.

Overview

Rate limiting controls how frequently clients can make requests to your proxied services. When a client exceeds the configured limit, additional requests receive a 429 Too Many Requests response until the limit resets.

Key concepts:

• Requests per Second (RPS) — Sustained request rate allowed
• Burst Limit — Short-term spike allowance above RPS
• Time Window — Period over which limits are calculated
• Per-IP Tracking — Each client IP has independent limits

Why Use This

• Brute-Force Prevention — Stop password guessing attacks
• API Protection — Prevent excessive API consumption
• Resource Management — Protect backend services from overload
• Fair Usage — Ensure equitable access across all users
• Cost Control — Limit expensive operations

Configuration

Enabling Rate Limiting

1. Navigate to Proxy Hosts
2. Edit or create a proxy host
3. Go to the Advanced tab
4. Toggle Rate Limiting to enabled
5. Configure your limits

Parameters

Parameter	Description	Example
Requests/Second	Sustained rate limit	10 = 10 requests per second
Burst Limit	Temporary spike allowance	50 = allow 50 rapid requests
Time Window	Reset period in seconds	60 = limits reset every minute

Understanding Burst vs Sustained Rate

Sustained Rate: 10 req/sec
Burst Limit: 50

Behavior:
- Client can send 50 requests instantly (burst)
- Then limited to 10 req/sec until burst refills
- Burst tokens refill at the sustained rate

This allows legitimate traffic spikes (page loads with many assets) while preventing sustained abuse.

Recommended Configurations

Use Case	RPS	Burst	Window
Public website	20	100	60s
Login endpoint	5	10	60s
API endpoint	30	60	60s
Static assets	100	500	60s

Dashboard Integration

Status Badge

When rate limiting is enabled, the proxy host displays a Rate Limited badge on:

• Proxy host list view
• Host detail page

Active Summary Card

The dashboard shows an Active Rate Limiting summary card displaying:

• Number of hosts with rate limiting enabled
• Current configuration summary
• Link to manage settings

Response Headers

Rate-limited responses include helpful headers:

HTTP/1.1 429 Too Many Requests
Retry-After: 5
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1642000000

Clients can use these headers to implement backoff strategies.

Best Practices

• Start Generous — Begin with higher limits and tighten based on observed traffic
• Monitor Logs — Watch for legitimate users hitting limits
• Separate Endpoints — Use different limits for different proxy hosts
• Combine with WAF — Rate limiting + WAF provides layered protection

Related

• Access Control — IP-based access restrictions
• CrowdSec Integration — Automatic attacker blocking
• Proxy Hosts — Configure rate limits per host
• Back to Features