All Products
Search

This Product

    Edge Security Acceleration:Rate limiting rules

    Document Center

    Edge Security Acceleration:Rate limiting rules

    Last Updated:Sep 19, 2024

    You can use the rate limiting feature to limit the rate of requests with the same characteristics. For example, if an IP address visits your website at a high frequency within a specific period of time, you can use the rate limiting feature to specify an upper limit, and enable slider CAPTCHA verification or add the IP address to the blacklist for a period of time after the upper limit is reached.

    Configure a rate limiting rule

    1. Log on to the ESA console.

    2. In the left-side navigation pane, click Websites.

    3. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

    4. In the left-side navigation tree, choose Security > WAF > Rate Limiting Rules.

    5. On the Rate Limiting Rules tab, click Create Rule.

      • On the page that appears, specify Rule Name.

      • If requests match...: the characteristics of requests that you want to limit. All requests that hit the rule are counted. For more information, see WAF.

      • Apply to Cache: If you enable the rate limiting feature, rate limiting limits the frequency of client requests that have the same characteristics. This reduces the load on your origin server. Requests that hit the cache are directly served from DCDN POPs. This does not increase the load on your origin server. If you do not want to use the rate limiting feature for requests that hit the cache, clear this check box.

      • With the same characteristics...: If you select IP Source Address from the drop-down list, requests from the same client IP address are counted. When the request limit reaches the upper limit, the action is executed.

      • When the rate exceeds...: the maximum number of requests allowed within the specified period of time.

      • Then execute...: the action that you want to perform when the number of requests exceeds the Rate that you specified. For more information, see WAF.

    6. Click OK.

    Configuration example

    The following figure shows a sample rate limiting rule. The rule specifies that if 20 requests with the hostname www.example.com or image.example.com are coming from the same client IP within 10 seconds, the system performs the slider CAPTCHA verification on this type of requests within 5 minutes. In this case, requests are responded only if the user passes the slider CAPTCHA verification. If the user does not pass the verification, requests are blocked.

    image