# Apache configuration for /api endpoint with authentication and rate limiting

# Load required modules
# Ensure these modules are enabled in your Apache installation:
# mod_authn_file, mod_authz_user, mod_auth_basic, mod_security2

# Define authentication for /api
<Location "/api">
    AuthType Basic
    AuthName "Restricted API Access"
    AuthUserFile passwd
    Require valid-user

    # Limit the number of requests per user per hour to 100 using mod_security
    # mod_security config block
    SecRuleEngine On
    SecRequestBodyAccess Off

    # Define a collection to track requests by authenticated user
    SecAction \
      "id:9000001,\
       phase:1,\
       nolog,\
       pass,\
       initcol:USER=ip=%{REMOTE_ADDR}_user=%{REMOTE_USER}"

    # Increment counter on each request
    SecAction \
      "id:9000002,\
       phase:1,\
       nolog,\
       pass,\
       setvar:USER.api_counter=+1,\
       expirevar:USER.api_counter=3600"

    # If counter exceeds 100, deny with status 429
    SecRule USER:api_counter "@gt 3" \
       "id:9000003,\
        phase:1,\
        deny,\
        status:429,\
        log,\
        msg:'API rate limit exceeded for user %{REMOTE_USER}'"

    # Optional: custom error message for 429
    ErrorDocument 429 "429 Too Many Requests - API rate limit exceeded. Please try again later."

</Location>

# Global error log format (set this outside of <Location>)
ErrorLogFormat "[%t] [%l] [api-auth] [client %a] %M"