How to RateLimit the Users whenever each user reach a threshold value of X number of hits

[Ravi GH]

I am a New User of mod_qos and my requirement/aim is as follows.

When a user exceeds the X number of hits to and URL endpoint then any further requests will be denied with HTTP 429 Too Many Requests response status code indicating the user has sent too many requests in a given amount of time ("rate limiting") and wait until the rate limit timeframe resets.

my directives are as below :
QS_RequestHeaderFilter on
SetEnvif Request_URI ^/dashboard LimitLogin_Dashboard=1
SetEnvif Request_URI ^/rest LimitLogin_REST=1
QS_EventLimitCount LimitLogin_REST 3 20 # allow user to hit 3 times with in 20 seconds
QS_EventLimitCount LimitLogin_Dashboard 3 20
QS_ErrorResponseCode 429

I am able to achive above requirement except one , that is each user is not rate limited individually insted the LimitCount ( for ex: LimitLogin_REST is for REST calls ) is increased /incremented for each and every users hit ( in total).

What i am looking is,

The limitCount must apply to each user
User A = LimitCount needs to be set as 3
User B = LimitCount needs to be set as 3
User C = LimitCount needs to be set as 3

however as of now the LimitCount (ex: LimitLogin_REST) is set to 3 for the entire instance.

How can i achive each user RateLimit.

( Basically the limit must be applied for each user level not at the instance level)

As i said, i am begineer the seeking support/guidance.

Thanks a lot in advance.

[Pascal Buchbinder]

Client level directives, such as QS_ClientEventLimitCount can be used to define client (IP address by defaut) based counters.

[Ravi GH]

Below config is working for me when I use it with "User-Agent" (used for testing) however its not working when I use it with Response Header "X-AUSERNAME" which will contain the Authenticated User Name.

SetEnvIfPlus Remote_Addr (.) realIP=$1
SetEnvIfPlus X-AUSERNAME (.) virtualIP=$1
RequestHeaderPlus set X-Hash ${realIP}
SetHashHeaderPlus X-Hash virtualIP
SetEnvIfPlus virtualIP .* limitUser=1
QS_ClientIpFromHeader X-Hash
QS_EventLimitCount limitUser 1 10
QS_ErrorResponseCode 429

Please Guide how can i pass Authanticated User name to variable virtualIP.

[Pascal Buchbinder]

SetEnvIfPlus X-AUSERNAME (.*) virtualIP=$1
SetHashHeaderPlus X-Hash virtualIP
QS_ClientIpFromHeader X-Hash

Should work to use the value from the HTTP request header X-AUSERNAME to identify the client.

[Ravi GH]

First , Thanks a lot Pascal for your attention on this matter.

The X-AUSERNAME is available after the user is Authanticated hence its available in the Response Header, for this reason i wanted to use

ResponseSetEnvIfPlus X-AUSERNAME (.*) virtualIP=$1 # in Location Match section

Question: In regard to sequence of the execution.

if i use above directive (ResponseSetEnvIfPlus) in the "Location Configuration" , will it work in combination with the incoming / Request Rules set mentiond as in my second comment (https://sourceforge.net/p/mod-qos/discussion/697421/thread/88e03d44f3/#0786)

what is the sequence of the execution if i use above directive, will it first look for X-AUSERNAME and then execute other directives.

Question: Do you have commertial support on this module? Or Donation is the only method :)

Best Regards & Stay Safe,

[Pascal Buchbinder]

The difficulty is, that QS_ClientEventLimitCount already processes the incoming request and therefore need to identify the client by an attribute sent by the client, e.g. its IP address, an Authorization header or certificate (the last two represented by a hash using SetHashHeaderPlus). A cookie could be an option as well.

An attribute which is only available when sending the response is too late to identify the client - whatever has to be counted and avoided has already happened.

[Ravi GH]

I tested the cookie method and its working. Thanks.

However i am still trying to achive my goal without using cookie insted i wanted to use X_PROXY_REMOTE_USER which is avilable after SAML/Shibboleth Authantication. ( OR SSL_CLIENT_S_DN_CN which is availabe as SSL cert user name )

Basically our apache uses Shobboleth to redirect to SAML idp and then use “REMOTE_USER” apache ENV to grab the user id. But some how mod_qos is unable to receive this ENV.

# My Apache directive for SAML.
<LocationMatch ^>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
  Options FollowSymLinks
  Options Indexes FollowSymlinks Includes ExecCGI
  RequestHeader set X_PROXY_REMOTE_USER %{REMOTE_USER}s

  #Below lines after this line is waht i am planning to test today.
  <IfModule mod_qos.c>
SetEnvIf REMOTE_USER (.*) user-qstrack=$1
QS_ClientEventLimitCount 5 60 user-qstrack
</IfModule>

 </LocationMatch>

Any suggestions on how i can use X_PROXY_REMOTE_USER / SSL_CLIENT_S_DN_CN and achive the User rate limiting.

Thanks & Regards,
Ravi