lighttpd2/doc/mod_limit.xml

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:lighttpd.net:lighttpd2/doc1">
	<short>limits concurrent connections or requests per second.</short>

	<description>
		Both limits can be "in total" or per IP.
	</description>


	<action name="limit.con">
		<short>limits the total amount of concurrent connections to the specified limit.</short>
		<parameter name="limit">
			<short>the maximum number of concurrent connections</short>
		</parameter>
		<parameter name="action">
			<short>(optional) an action to be executed when the limit is reached</short>
		</parameter>
		<description>
			If no action is defined a 503 error page will be returned. If it is specified there is no other special handling apart from running the specified action when the limit is reached.
		</description>
		<example>
			<config>
				limit.con 10;
			</config>
		</example>
	</action>

	<action name="limit.con_ip">
		<short>limits the total amount of concurrent connections per IP to the specified limit.</short>
		<parameter name="limit">
			<short>the maximum number of concurrent connections per IP</short>
		</parameter>
		<parameter name="action">
			<short>(optional) an action to be executed when the limit is reached</short>
		</parameter>
		<description>
			If no action is defined a 503 error page will be returned. If it is specified there is no other special handling apart from running the specified action when the limit is reached.
		</description>
		<example>
			<config>
				limit.con_ip 2;
			</config>
		</example>
	</action>

	<action name="limit.req">
		<short>limits the amount of requests per second to the specified limit.</short>
		<parameter name="limit">
			<short>the maximum number of requests per second</short>
		</parameter>
		<parameter name="action">
			<short>(optional) an action to be executed when the limit is reached</short>
		</parameter>
		<description>
			If no action is defined a 503 error page will be returned. If it is specified there is no other special handling apart from running the specified action when the limit is reached.
		</description>
		<example>
			<config>
				limit.req 100;
			</config>
		</example>
	</action>

	<action name="limit.req_ip">
		<short>limits the amount of requests per second per IP to the specified limit.</short>
		<parameter name="limit">
			<short>the maximum number of requests per second per IP</short>
		</parameter>
		<parameter name="action">
			<short>(optional) an action to be executed when the limit is reached</short>
		</parameter>
		<description>
			If no action is defined a 503 error page will be returned. If it is specified there is no other special handling apart from running the specified action when the limit is reached.
		</description>
		<example>
			<config>
				limit.req_ip 100;
			</config>
		</example>
	</action>

	<example title="Limiting concurrent connections" anchor="#">
		<description>
			This config snippet will allow only 10 active downloads overall and 1 per IP. If the limit is exceeded, either because more than 10 people try to access this resource or one person tries a second time while having one download running already, they will be redirected to /connection_limit_reached.html.
		</description>
		<config>
			setup {
				module_load ("mod_limit","mod_redirect");
			}

			limit_reached = {
				redirect "/connection_limit_reached.html";
			};

			if req.path =^ "/downloads/" {
				limit.con 10 => limit_reached;
				limit.con_ip 1 => limit_reached;
			}
		</config>
	</example>

	<example title="Limiting requests per second" anchor="#">
		<description>
			This config snippet will write a message to the log containing the clien IP address if the /login page is hit more than once in a second.
			It will however also not do anything else. The client will be able to use the /login page as often as he wants.
		</description>
		<config>
			setup {
				module_load "mod_limit";
			}

			if req.path == "/login" {
				limit.req_ip 1 => { log.write "Possible bruteforce from %{req.remoteip}"; };
			}
		</config>
	</example>
</module>