Created config to limit all requests amount to specific value

2025-06-03 18:31:27 +02:00 · 2025-06-03 18:31:27 +02:00 · da6a085d15
commit da6a085d15
1 changed files with 51 additions and 0 deletions
--- a/modsecurity.conf
+++ b/modsecurity.conf
@ -0,0 +1,51 @@
+# Apache configuration for /api endpoint with authentication and rate limiting
+
+# Load required modules
+# Ensure these modules are enabled in your Apache installation:
+# mod_authn_file, mod_authz_user, mod_auth_basic, mod_security2
+
+# Define authentication for /api
+<Location "/api">
+    AuthType Basic
+    AuthName "Restricted API Access"
+    AuthUserFile passwd
+    Require valid-user
+
+    # Limit the number of requests per user per hour to 100 using mod_security
+    # mod_security config block
+    SecRuleEngine On
+    SecRequestBodyAccess Off
+
+    # Define a collection to track requests by authenticated user
+    SecAction \
+      "id:9000001,\
+       phase:1,\
+       nolog,\
+       pass,\
+       initcol:USER=ip=%{REMOTE_ADDR}_user=%{REMOTE_USER}"
+
+    # Increment counter on each request
+    SecAction \
+      "id:9000002,\
+       phase:1,\
+       nolog,\
+       pass,\
+       setvar:USER.api_counter=+1,\
+       expirevar:USER.api_counter=3600"
+
+    # If counter exceeds 100, deny with status 429
+    SecRule USER:api_counter "@gt 3" \
+       "id:9000003,\
+        phase:1,\
+        deny,\
+        status:429,\
+        log,\
+        msg:'API rate limit exceeded for user %{REMOTE_USER}'"
+
+    # Optional: custom error message for 429
+    ErrorDocument 429 "429 Too Many Requests - API rate limit exceeded. Please try again later."
+
+</Location>
+
+# Global error log format (set this outside of <Location>)
+ErrorLogFormat "[%t] [%l] [api-auth] [client %a] %M"