🚀 Protect your web servers against abuse and ensure optimal performance with automated rate limiting configurations. This project generates and manages rate limit rules for multiple web server platforms, making it easy to implement robust protection against excessive requests.

• ⚙️ Multi-Web Server Support: Generates rate limiting configurations for Apache (ModSecurity), Nginx, Traefik, and HAProxy.
• ⏱️ Centralized Configuration: Uses a single config.yaml file to define global and path-specific rate limits, as well as IP whitelisting/blacklisting.
• 🔄 Automated Updates: GitHub Actions automatically fetch the latest configuration and generate new rules daily.
• 🛡️ Flexible Rate Limiting: Supports limiting by IP address, User-Agent, or custom headers.
• ✅ Easy Integration: Clear instructions and example configurations are provided to quickly integrate rate limiting into your servers.
• 🎛️ Granular Control: Configure rate limits at both global and path-specific levels for detailed control.

• 🔵 Nginx
• 🟠 Apache (ModSecurity)
• 🟣 Traefik
• 🔴 HAProxy

limits/
├── rate_limit_rules/       # 🔧 Generated rate limit config files
│   ├── nginx/              # Nginx rate limit configs
│   ├── apache/             # Apache rate limit configs (ModSecurity)
│   ├── traefik/            # Traefik rate limit configs
│   └── haproxy/            # HAProxy rate limit configs
├── import_apache_rate_limit.py
├── import_haproxy_rate_limit.py
├── import_nginx_rate_limit.py
├── import_traefik_rate_limit.py
├── ratelimit.py           # ⚙️ Main Script to load and validate rate limits config
├── ratelimit2nginx.py      # 🔄 Convert rate limit config to Nginx
├── ratelimit2apache.py     # 🔄 Convert rate limit config to Apache ModSecurity
├── ratelimit2traefik.py    # 🔄 Convert rate limit config to Traefik
├── ratelimit2haproxy.py   # 🔄 Convert rate limit config to HAProxy
├── config.yaml             # 📝 Configuration file to define rate limits
├── requirements.txt        # 📄 Required dependencies
├── CONTRIBUTING.md         # 🤝 Contribution guidelines
├── CHANGELOG.md            # 📋 Project changelog
└── .github/workflows/      # 🤖 GitHub Actions for automation
    └── update_limits.py

• The config.yaml file allows you to configure your desired rate limits, including global settings, path-specific settings, whitelists, blacklists and advanced options.

# config.yaml
 global:
   enabled: true
   requests_per_minute: 60
   burst: 20
   window: 1m
   limit_by: ip
   # limit_by_header: custom_header

 paths:
   /login:
     enabled: true
     requests_per_minute: 10
     burst: 5
     window: 1m
     limit_by: ip
   /api:
     enabled: true
     requests_per_minute: 120
     burst: 40
     window: 1m
     limit_by: ip
   '/search/(.*)':
     enabled: true
     requests_per_minute: 100
     burst: 20
     window: 1m
     limit_by: ip

 whitelist:
   enabled: false
   ips:
     - 192.168.1.10
     - 192.168.1.11/32
     - 2001:0db8::/32

 blacklist:
   enabled: false
   ips:
     - 192.168.1.20
     - 192.168.1.22/32

 advanced:
   log_level: info

• The ratelimit.py script loads and validates the configurations from config.yaml.
• ratelimit2nginx.py generates Nginx configuration
• ratelimit2apache.py generates Apache ModSecurity configuration
• ratelimit2traefik.py generates Traefik configuration
• ratelimit2haproxy.py generates HAProxy configuration

• GitHub Actions automatically generate rate limiting configurations daily.
• Modified configuration files are automatically committed and pushed to the repository.

Before you begin, ensure you have the following installed on your system:

• Python 3.7+: Required to run the rate limit generation scripts
• pip: Python package manager (usually comes with Python)
• Git: For cloning the repository
• A supported web server: At least one of the following:
  • Nginx
  • Apache with ModSecurity
  • Traefik
  • HAProxy

1. Clone the Repository:

   git clone https://github.com/fabriziosalmi/limits.git
   cd limits

2. Install Python Dependencies:

   pip install -r requirements.txt

3. Configure config.yaml:

   • Edit the config.yaml file to define your specific rate limiting requirements.
   • Configure global settings, path-specific rules, and whitelist/blacklist as needed.

1. Generate Configuration:

• The rate limit configuration files will be generated automatically by github actions.

2. Integrate configuration with your webserver

• Copy rate_limit_rules/nginx/nginx_rate_limit.conf to your server.
• Include the configuration in your nginx configuration file (nginx.conf)

 http {
    include /path/to/nginx_rate_limit.conf;
    ...
 }

• Copy rate_limit_rules/apache/apache_rate_limit.conf to your server.
• Include the configuration in your apache virtualhost configuration file or inside a .htaccess file.

<VirtualHost *:80>
  ...
   Include /path/to/apache_rate_limit.conf
 ...
</VirtualHost>

• Copy the content of rate_limit_rules/traefik/traefik_rate_limit.conf to your traefik configuration file (traefik.yml)

  # traefik.yml
  ...
  http:
    middlewares:
      # Insert content of traefik_rate_limit.conf here
    routers:
     # Add the rate limit middlewares to the routes
  
  ...

*   Copy `rate_limit_rules/haproxy/haproxy_rate_limit.conf` to your server.
*   Include the configuration in your HAProxy configuration file (`haproxy.cfg`)

  frontend http-in
      # Insert the content of haproxy_rate_limit.conf here
  ...

Before deploying to production, it's important to test your rate limit configuration:

For Nginx:

nginx -t

For Apache:

apachectl configtest

For HAProxy:

haproxy -c -f /etc/haproxy/haproxy.cfg

You can use tools like curl or ab (Apache Bench) to test rate limiting:

# Send multiple rapid requests to test rate limiting
for i in {1..100}; do curl -s http://localhost/api; done

# Use Apache Bench for load testing
ab -n 100 -c 10 http://localhost/api

Check your web server logs to verify that rate limiting is working:

Nginx:

tail -f /var/log/nginx/error.log

Apache:

tail -f /var/log/apache2/error.log

HAProxy:

tail -f /var/log/haproxy.log

• Daily Updates: GitHub Actions fetches new rate limit configurations daily at midnight UTC.
• Auto Deployment: Pushes new configuration files directly to rate_limit_rules/.
• Manual Trigger: Updates can also be triggered manually.

Issue: "Error: config file not found"

• Solution: Ensure config.yaml exists in the root directory of the project.

Issue: "Error parsing YAML"

• Solution: Check that your config.yaml file has valid YAML syntax. Use a YAML validator if needed.

Issue: Rate limits not working after configuration

• Solution:
  • Verify that the configuration file is correctly included in your web server's configuration.
  • Restart your web server after applying the configuration.
  • Check your web server's error logs for any configuration errors.

Issue: Generated configuration files are empty

• Solution: Run the generation scripts manually to check for errors:

  python ratelimit2nginx.py
  python ratelimit2apache.py
  python ratelimit2traefik.py
  python ratelimit2haproxy.py

Issue: Import scripts fail with "environment variable not set"

• Solution: Set the appropriate environment variable before running the import script:

  export NGINX_RATE_LIMIT_FILE=/path/to/nginx/conf.d/rate_limit.conf
  python import_nginx_rate_limit.py

We welcome contributions from the community! Here's how you can help:

1. Fork the Repository: Click the "Fork" button at the top right of the repository page.
2. Clone Your Fork:

   git clone https://github.com/YOUR_USERNAME/limits.git
   cd limits

3. Create a Feature Branch: Use a descriptive name for your branch.

   git checkout -b feature/your-feature-name

4. Make Your Changes: Implement your feature or bug fix.
5. Test Your Changes: Ensure the scripts run correctly:

   python ratelimit.py
   python ratelimit2nginx.py
   python ratelimit2apache.py
   python ratelimit2traefik.py
   python ratelimit2haproxy.py

6. Commit Your Changes: Write clear, concise commit messages.

   git add .
   git commit -m "feat: add new feature description"

7. Push to Your Fork:

   git push origin feature/your-feature-name

8. Open a Pull Request: Go to the original repository and click "New Pull Request".

• Follow the existing code style and conventions.
• Add comments to explain complex logic.
• Update documentation if you change functionality.
• Test your changes thoroughly before submitting.
• Keep pull requests focused on a single feature or fix.

For more detailed contribution guidelines, see CONTRIBUTING.md.

When implementing rate limiting, keep these security best practices in mind:

Rate limiting is one layer of defense. Implement additional security measures:

• Input validation and sanitization
• Authentication and authorization
• HTTPS/TLS encryption
• Web Application Firewall (WAF)
• Regular security updates

• Too restrictive: May block legitimate users
• Too lenient: May not prevent abuse effectively
• Monitor your traffic patterns and adjust accordingly

• Only whitelist IPs you fully trust (e.g., monitoring services, trusted partners)
• Regularly review and update your whitelist
• Use CIDR notation to specify IP ranges precisely

Apply stricter rate limits to sensitive endpoints:

• Login pages (/login, /auth)
• API endpoints (/api/*)
• Password reset (/reset-password)
• Search functionality (/search)

• Enable logging to track rate limit violations
• Set up alerts for unusual patterns
• Regularly review logs for potential attacks

If running multiple server instances:

• Use a shared storage for rate limit counters (Redis, Memcached)
• Ensure rate limits are synchronized across all instances
• Consider using a centralized rate limiting solution

This project is licensed under the MIT License. See the LICENSE file for details.

• Issues? Open a ticket in the Issues tab.

• Nginx Rate Limiting
• Apache mod_ratelimit
• Traefik Rate Limiting
• HAProxy Rate Limiting