LogoLogo
  • Welcome
  • Landing in Transparent Edge
  • Sign up process
  • Getting Started
    • Basics concepts
      • Glosary
        • API
        • Brotli Compression
        • Cache-Control
        • Cache key
        • Caching
        • CNAME
        • Cloud Computing
        • Cloud Computing Architecture
        • Cloud Services
        • DASH
        • Data Center
        • Edge Server
        • ETag
        • GSLB
        • HLS (HTTP Live Streaming)
        • HTTP/2
        • Infrastructure as a Service (IaaS)
        • Internet Exchange Point
        • Last-Modified
        • Load Balancing
        • MultiCDN
        • NoSQL (not only SQL)
        • Origin
        • Origin Shield
        • OTT (Over The Top)
        • Platform as a Service (PaaS)
        • PoP (Point of Presence)
        • Private CDN
        • Private Cloud
        • Public Cloud
        • Purge
        • Query String
        • Reverse Proxy
        • RTT (Round-trip Time)
        • SaaS (Software as a Service)
        • SDS (Software Defined Storage)
        • Smooth Streaming
        • Status Code
        • TCP (Transmission Control Protocol)
        • TLS Acceleration
        • TLS (Transport Layer Security)
        • TTFB (Time-to-first-byte)
        • TTL (Time-to-live)
        • Virtual Machine
        • VPS (Virtual Private Server)
        • Web Services
      • Let's start at the beginning
      • Things to consider
      • Houston, we have a problem
      • HTTP, How does it work?
      • Invalidating methods
      • DNS Pointing
      • Log formats
      • Predefined headers
      • Default headers
        • geo_country_code
        • X-Device
        • Vary
        • Cache headers
        • Age
        • TP-Cache
        • True-Client-IP and X-Forwarded-For
      • Forcing No-Cache
      • Architecture
        • Transparent Edge’s IP addresses
        • Locations and PoP
        • Cache layers
      • Cache effectiveness
      • SSL
      • HTTP 5xx Error Codes
      • Features
        • Protection against origin failures
        • Rate Limit
        • Geolocation and geoblocking
        • Prefechting
        • Refetching
        • Fast purging
        • HTTP Redirects
        • Caching static vs. dynamic objects
        • Rewriting of headers
        • Device detection
    • Dashboard
      • Historic
      • Analytics
      • Invalidating content
      • Content invalidation by tags
      • Prefetching Cache
      • Log shipping
      • Provisioning
        • Initial configuration
        • Backends
        • Sites
        • Configuration deployments
        • Network ACLs
        • TLS/SSL Certificates
      • User management
  • Configuration
    • VCL Reference
      • Default Functions
      • VCL Objects
      • Callable Functions
      • Security restrictions
      • Varnish book
    • Network Access Control List
      • Initial configuration
      • Auto generated lists
      • Manage lists via API
    • i3
      • Quality adjustment
      • Cache timing allocation for transformed images
      • Conversion to grayscale
      • Conversion to WebP
      • Blurring
      • Inclusion of graphics in the footer (strip)
      • Automatic resizing
      • Definition of the maximum size (content-length)
    • Transcoding
      • Relaunch or requeue jobs
      • Create a transcode job
      • Get job information
      • Dashboard usage
    • OpenAPI de TransparentCDN
  • Security
    • HTTPS
    • Blocking User-Agent
    • Blocking by IP Address
    • Blocking Requests Geographically
    • Avoiding Hotlinking
    • Bot Mitigation
    • WAF
      • Configuration
      • CAPTCHA
      • Content protected by token
      • Rate limit
    • Anomaly Detection
      • Detection Types
      • Automatic Reactions
      • Detection History
    • Under attack mode
    • Global Whitelists
  • Integrations
    • Wordpress plugin
    • Google Cloud Platform
    • Amazon Web Services
  • GUIDES AND TUTORIALS
    • How to do things
    • Edge Computing
      • ESI Tags
    • Acting on the Query String
    • Working with cookies
    • Making decisions based on HTTP headers
    • Web Application Gateway
    • Configure your servers to send cache headers
    • Caching a version per device
    • True-Client-IP in the origin
    • A/B Testing
    • Routing traffic to different backends
    • JSON Web Tokens
    • Debug codes
    • Streaming logs
    • API
      • Authentication
      • Invalidation
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. Security
  2. WAF

Rate limit

PreviousContent protected by tokenNextAnomaly Detection

Last updated 8 months ago

Was this helpful?

This function allows us to limit the number of requests made to our website. This restriction can be based on the client's IP address (True-Client-IP), a cookie, a URL, or anything else that makes sense for your application.

This function is invoked through the call rate_limit. It requires two headers to be defined before: TCDN-WAF-Set-RateLimit-Key and TCDN-WAF-Set-RateLimit-Options. The first one, TCDN-WAF-Set-RateLimit-Key, is optional and simply corresponds to the identifier we use to name the rule we are configuring; if nothing is specified, True-Client-IP is used instead. TCDN-WAF-Set-RateLimit-Options, however, is mandatory and it has the following syntax: <limit>:<period>[:<block>][:captcha|:js_challenge]. <limit> determines the maximum number of requests that will be accepted within the <period> specified . Optionally, the parameters <block> and captcha or js_challenge allows us to set the duration during which requests will be denied once the initial limit is reached and display a or a JavaScript challenge when this limit is reached. If the captcha parameter is present and the set limit is reached, the user will be shown a CAPTCHA that they must validate to continue browsing.

This validation will be valid for five minutes. So, if within the following five minutes after that validation, the user reaches the same limit again, the defined block time will be applied if specified. If the validation has expired and the user surpasses this threshold again, a new CAPTCHA will be shown.

For example, if in our domain www.my-site.com we want to limit each user to a maximum of 20 requests per second, discriminating based on their IP address, and once that limit is reached, block the user for 30 seconds and require them to validate a CAPTCHA, we would deploy a similar to the following:

# rate limit with captcha
sub vcl_recv {
    if (req.http.host == "www.my-site.com") {
        set req.http.TCDN-WAF-Set-RateLimit-Key = req.http.True-Client-IP;
        set req.http.TCDN-WAF-Set-RateLimit-Options = "20:1s:30s:captcha";
        call rate_limit;
    }
}

In this way, once the set limit is reached, subsequent requests from the affected user will result in either a status code 429 (Too Many Requests) or a 418 (Robots are not allowed here!) if the CAPTCHA validation was incorrect.

If the JavaScript challenge is selected, the first time that a request reaches the rate limit a non interactive JavaScript challenge will be sent to the user's browser to discern bots from humans.

# rate limit with javascript challenge
sub vcl_recv {
    if (req.http.host == "www.my-site.com") {
        set req.http.TCDN-WAF-Set-RateLimit-Key = req.http.True-Client-IP;
        set req.http.TCDN-WAF-Set-RateLimit-Options = "20:1s:30s:js_challenge";
        call rate_limit;
    }
}

Obviously, these limits can be set for the entire site or for a specific part of it and can be discriminated based on different criteria, not just the user's IP address. For example, we could consider a usage quota of 30 requests per minute per API key.

# rate limit
sub vcl_recv {
    if (req.http.host == "www.my-site.com") {
        set req.http.TCDN-WAF-Set-RateLimit-Key = "API key=" + req.http.API-Key;
        set req.http.TCDN-WAF-Set-RateLimit-Options = "30:60s";
        call rate_limit;
    }
}

O, perhaps, allow only a few POST or PUT requests per user:

# rate limit
sub vcl_recv {
    if (req.http.host == "www.my-site.com") {
        if (req.method == "POST" || req.method == "PUT") {
            set req.http.TCDN-WAF-Set-RateLimit-Key = req.http.True-Client-IP;
            set req.http.TCDN-WAF-Set-RateLimit-Options = "2:10s";
            call rate_limit;
        }
    }
}

Obviously, these are just small examples of very specific use cases. If you have any questions about how to integrate this functionality into your own domain, please don't hesitate to contact us via email at .

CAPTCHA
VCL
configuration
soporte@transparentcdn.com