From da6a085d157f1ce25508f0263f111b19b9c9157c Mon Sep 17 00:00:00 2001 From: Marcin-Ramotowski Date: Tue, 3 Jun 2025 18:31:27 +0200 Subject: [PATCH] Created config to limit all requests amount to specific value --- modsecurity.conf | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 modsecurity.conf diff --git a/modsecurity.conf b/modsecurity.conf new file mode 100644 index 0000000..fab3a75 --- /dev/null +++ b/modsecurity.conf @@ -0,0 +1,51 @@ +# Apache configuration for /api endpoint with authentication and rate limiting + +# Load required modules +# Ensure these modules are enabled in your Apache installation: +# mod_authn_file, mod_authz_user, mod_auth_basic, mod_security2 + +# Define authentication for /api + + AuthType Basic + AuthName "Restricted API Access" + AuthUserFile passwd + Require valid-user + + # Limit the number of requests per user per hour to 100 using mod_security + # mod_security config block + SecRuleEngine On + SecRequestBodyAccess Off + + # Define a collection to track requests by authenticated user + SecAction \ + "id:9000001,\ + phase:1,\ + nolog,\ + pass,\ + initcol:USER=ip=%{REMOTE_ADDR}_user=%{REMOTE_USER}" + + # Increment counter on each request + SecAction \ + "id:9000002,\ + phase:1,\ + nolog,\ + pass,\ + setvar:USER.api_counter=+1,\ + expirevar:USER.api_counter=3600" + + # If counter exceeds 100, deny with status 429 + SecRule USER:api_counter "@gt 3" \ + "id:9000003,\ + phase:1,\ + deny,\ + status:429,\ + log,\ + msg:'API rate limit exceeded for user %{REMOTE_USER}'" + + # Optional: custom error message for 429 + ErrorDocument 429 "429 Too Many Requests - API rate limit exceeded. Please try again later." + + + +# Global error log format (set this outside of ) +ErrorLogFormat "[%t] [%l] [api-auth] [client %a] %M" \ No newline at end of file