How to use rate limiting on HTTP(s) ports for Layer 7 protection

For the mitigation of HTTP floods (aka refresh floods) we provide customizable rate limiting controls. These limits can be set either globally or per HTTP zone. The default limits we provide enabled by default globally are generally lax and should be tightened if you are in need of stronger HTTP flood protection (e.g you are on a small VPS).

Request Rate Limits

Request limiting is based on the incoming IP addresses, we provide both a set average rate of request limit and a burstable limit. This can also be used along side the "Client IP" header which can be found in the HTTP options for inseparability with upstream proxies for Layer 7 flood protection.

Note: Zones are grouped based on their request rate, if you have two locations using the 2 requests per second zone they will be combined and you may need to use a 4 requests a second zone or allow for bursting.

Example

A setup for a simple forum with a shoutbox could be similar to the following.

Global Settings:
Rate Limit: 2r/s
Burstable Limit: 10r/s

# Static Resources
*.jpeg
Rate Limit: 8r/s
Burstable Limit: 25r/s
Cache: ON (Recommended, optional)

*.gif
Rate Limit: 8r/s
Burstable Limit: 25r/s
Cache: ON (Recommended, optional)

*.png
Rate Limit: 8r/s
Burstable Limit: 25r/s

*.css
Rate Limit: 8r/s
Burstable Limit: 15r/s
Cache: ON (Recommended, optional)

#Shoutbox
/forums/ajax_shoutbox.php
Rate Limit: 4r/s
Burstable Limit: 8r/s
Cache: OFF (Recommended, optional)

These values should be used as a guide only, your exact needs may vary. In this case all images (gif, jpeg, png) all share the same combined rate limiting.

Disable Rate Limiting

It is possible to disable rate limiting globally or for a specific HTTP Zone as needed. To do so just use the "Disabled (unlimited)" rate limiting zone.

Max Concurrent Connections

A limit is defined as to the maximum number of expected connections from a single (Layer 4) IP address. If exceeded then a specific access denied error will be shown.

Up to 256 layer 4 connections per IP are supported in Anycast configurations. The default of 32 is good enough for most conceivable applications. Defining a limit higher than 100 changes HTTP/2 session multiplexing parameters to control load as such values up to and including 100 are recommended.