User Guide


ratelimit is used to limit the request processing rate based on client's IP address. Excessive requests will be terminated with an error 429 (Too Many Requests) and X-RateLimit-RetryAfter header will be returned.

Full documentation


For single resource:
ratelimit methods path rate burst unit

methods are the request methods it will match (comma separately); path is the file or directory to apply rate limit; rate is the limited request in every time unit (r/s, r/m, r/h, r/d, r/w) (e.g. 1); burst is the maximum burst size client can exceed; burst >= rate (e.g. 2); unit is the time interval (currently support: second, minute, hour, day, week).

For multiple resources:
ratelimit methods rate burst unit { whitelist CIDR resources }

whitelist is the keyword for whitelisting your trusted ips, CIDR is the IP range you don't want to perform rate limit, whitelist is a general rule, it won't target for specific resource; resources is a list of files/directories to apply rate limit, one per line.

Note: If you don't want to apply rate limit on some special resources, add ^ in front of the path.

Limit clients to 2 requests per second (bursts of 3) to any methods and any resources under /r:
ratelimit * /r 2 3 second
Don't perform rate limit if requests come from or ~, for the listed paths, limit clients to 2 requests per minute (bursts of 2) if the request method is GET or POST and always ignore /dist/app.js:
ratelimit 2 2 minute { whitelist whitelist /foo.html /api ^/dist/app.js }
Related Links

Access the full documentation for this plugin off-site:

Plugin Help

Get help from the maintainers of the http.ratelimit plugin:

Plugin Website

Visit http.ratelimit's website for more information:

Plugin Author: jsxqf
Last Updated: 11 Jun 2018, 4:14 PM
This plugin is independent of the Caddy project and is not endorsed or maintained by Caddy developers. Use at your own risk. Do not file issues for this plugin on Caddy's bug tracker.