Rate Limit Response

The Rate Limit Response phase adds rate limit zones to the current request based on the response characteristics. The system checks the request against the specified zone in the subsequent Rate Limit Request phase.

Actions

• rate_limit.add_zone: Adds a request to a named rate limit zone's counter based on the characteristics of the response (e.g., adding a client to a "failed_logins" zone if the response code is 401). This action does not perform any rate limiting checks itself; the check must be done in a subsequent request in the rate_limit_request or rate_limit_request_late phase. This action requires a key to be defined to identify the client. For a full list of available key types, see the How to Configure Rate Limit Zones guide.

For a detailed guide on creating and using zones, see How to Configure Rate Limit Zones.

Example

The filter matches responses with a 404 status code:

http.response.code == 404

The configuration adds the request to the "not_found_requests" zone, using the client's IP as the key:

rate_limit.add_zone:
  zone: "not_found_requests"
  key:
    - type: "ip"

This configuration enables rate limiting of clients that frequently request non-existent resources.

Flow between Rate Limit Response and Rate Limit Request

graph TD
    A[Response Generated] --> B[rate_limit.add_zone in Response Phase]
    B --> C[Next Request]
    C --> D[rate_limit.check_zone in Request Phase]
    D -->|Within limit| E[Continue Processing]
    D -->|Limit exceeded| F[Apply Action]
    F --> G[Block/Challenge/Log]

Fields

The Rate Limit Response phase provides access to the following fields:

• Request fields: Request information such as host header, method, and IP source.
• GeoIP fields: Geolocation information such as AS number and country code.
• User agent fields: Client user agent information.
• Bot fields: Information about bot clients.
• Fingerprint fields: Client network fingerprint information.

Use Cases

1. Implement rate limiting for clients that frequently encounter errors.
2. Apply different rate limits based on response content type.
3. Set rate limits for high-bandwidth responses to ensure fair usage.
4. Use response headers to determine rate limiting zones.

Importance of Separate Rate Limiting Phases

The separation of rate limiting into Request, Request Late, and Response phases provides several benefits:

1. Response-based rate limiting: The Rate Limit Response phase allows for rate limiting based on characteristics of the response, which is not possible in earlier phases.
2. Adaptive rate limiting: By considering both request and response characteristics, more sophisticated rate limiting strategies can be implemented.
3. Performance optimisation: Adding rate limit zones in the response phase allows for more efficient processing, as rate limits are only applied when necessary based on the response.

This multi-phase approach enables the implementation of complex rate limiting strategies that consider the full request-response cycle.