1426c6f885
Comprehensive documentation overhaul for Charon features: Rewrite features.md as marketing overview (87% reduction) Create comprehensive dns-challenge.md for new DNS feature Expand 18 feature stub pages into complete documentation: SSL certificates, CrowdSec, WAF, ACLs, rate limiting Security headers, proxy headers, web UI, Docker integration Caddyfile import, logs, WebSocket, backup/restore Live reload, localization, API, UI themes, supply chain security Update README.md with DNS Challenge in Top Features Total: ~2,000+ lines of new user-facing documentation Refs: #21, #461
3.4 KiB
title, description
| title | description |
|---|---|
| Rate Limiting | Prevent abuse by limiting requests per user or IP address |
Rate Limiting
Prevent abuse by limiting how many requests a user or IP address can make. Stop brute-force attacks, API abuse, and resource exhaustion with simple, configurable limits.
Overview
Rate limiting controls how frequently clients can make requests to your proxied services. When a client exceeds the configured limit, additional requests receive a 429 Too Many Requests response until the limit resets.
Key concepts:
- Requests per Second (RPS) — Sustained request rate allowed
- Burst Limit — Short-term spike allowance above RPS
- Time Window — Period over which limits are calculated
- Per-IP Tracking — Each client IP has independent limits
Why Use This
- Brute-Force Prevention — Stop password guessing attacks
- API Protection — Prevent excessive API consumption
- Resource Management — Protect backend services from overload
- Fair Usage — Ensure equitable access across all users
- Cost Control — Limit expensive operations
Configuration
Enabling Rate Limiting
- Navigate to Proxy Hosts
- Edit or create a proxy host
- Go to the Advanced tab
- Toggle Rate Limiting to enabled
- Configure your limits
Parameters
| Parameter | Description | Example |
|---|---|---|
| Requests/Second | Sustained rate limit | 10 = 10 requests per second |
| Burst Limit | Temporary spike allowance | 50 = allow 50 rapid requests |
| Time Window | Reset period in seconds | 60 = limits reset every minute |
Understanding Burst vs Sustained Rate
Sustained Rate: 10 req/sec
Burst Limit: 50
Behavior:
- Client can send 50 requests instantly (burst)
- Then limited to 10 req/sec until burst refills
- Burst tokens refill at the sustained rate
This allows legitimate traffic spikes (page loads with many assets) while preventing sustained abuse.
Recommended Configurations
| Use Case | RPS | Burst | Window |
|---|---|---|---|
| Public website | 20 | 100 | 60s |
| Login endpoint | 5 | 10 | 60s |
| API endpoint | 30 | 60 | 60s |
| Static assets | 100 | 500 | 60s |
Dashboard Integration
Status Badge
When rate limiting is enabled, the proxy host displays a Rate Limited badge on:
- Proxy host list view
- Host detail page
Active Summary Card
The dashboard shows an Active Rate Limiting summary card displaying:
- Number of hosts with rate limiting enabled
- Current configuration summary
- Link to manage settings
Response Headers
Rate-limited responses include helpful headers:
HTTP/1.1 429 Too Many Requests
Retry-After: 5
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1642000000
Clients can use these headers to implement backoff strategies.
Best Practices
- Start Generous — Begin with higher limits and tighten based on observed traffic
- Monitor Logs — Watch for legitimate users hitting limits
- Separate Endpoints — Use different limits for different proxy hosts
- Combine with WAF — Rate limiting + WAF provides layered protection
Related
- Access Control — IP-based access restrictions
- CrowdSec Integration — Automatic attacker blocking
- Proxy Hosts — Configure rate limits per host
- Back to Features