{"id":8839,"date":"2017-09-12T05:15:07","date_gmt":"2017-09-12T04:15:07","guid":{"rendered":"https:\/\/kb.okra.host\/article\/working-with-http-rate-limiting\/"},"modified":"2021-04-06T14:42:45","modified_gmt":"2021-04-06T13:42:45","slug":"working-with-http-rate-limiting","status":"publish","type":"ht_kb","link":"https:\/\/kb.okra.host\/de\/article\/working-with-http-rate-limiting\/","title":{"rendered":"Arbeiten mit HTTP-Rate-Limiting"},"content":{"rendered":"<h2 id=\"overview\" >\u00dcbersicht<\/h2>\n<p>All HTTP servers enforce a collection of HTTP rate-limiting to reduce abuse and achieve a high reliability. This system is built on a fork of <a href=\"https:\/\/github.com\/apisnetworks\/mod_evasive\">mod_evasive<\/a>,\u00a0which implements an interval-based bean counter, in other words it begins counting URI requests for a given duration once the first request is received.<\/p>\n<p>There are two classes of URI requests, <strong>pages in total<\/strong> und <strong>same page<\/strong> requests. Exceeding either threshold will result in an automatic 10 minute ban. Repeating the process three times in 24 hours results in an automatic 7 day ban for HTTP ports, 80 (HTTP) and 443 (HTTPS).<\/p>\n<p>Blocked clients are returned a 403 status code (<em>Forbidden<\/em>).<\/p>\n<h2 id=\"pages-in-total\" >Pages in total<\/h2>\n<p>Pages in total (PIT) log all URL requests from an IP address in a window discussed below. If an IP address exceeds that number of requests within the window, it will be blocked automatically. If a page is image heavy as verified by <a href=\"https:\/\/webpagetest.org\">webpagetest.org<\/a>, consider consolidating images into <a href=\"https:\/\/css-tricks.com\/css-sprites\/\">sprites<\/a> oder <a href=\"https:\/\/stackoverflow.com\/questions\/1574961\/how-much-faster-is-it-to-use-inline-base64-images-for-a-web-site-than-just-linki\">inlining small assets<\/a> to bypass accessory HTTP requests.<\/p>\n<h2 id=\"same-page\" >Same page<\/h2>\n<p>Same page requests are more stringent and affect requests to the same URI. This is designed to filter out brute-force attacks. If you poll a page repeatedly, such as autocomplete with a <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Events\/keydown\">keydown event<\/a>, add a collection threshold via <a href=\"https:\/\/www.w3schools.com\/jsref\/met_win_settimeout.asp\">setTimeout<\/a> that will only poll after the typist has given a momentary repose to collect thought. For instance, a simple <a href=\"https:\/\/jquery.com\">jQuery<\/a> implementation:<\/p>\n<pre data-language=\"javascript\"><code>$(\"#input\").on('keydown', function() {\r\n    var timer;\r\n    timer = setTimeout(function() {\r\n        cancelTimeout(timer);\r\n        \/\/ cancel other async events\r\n        \/\/ do autocomplete AJAX callback\r\n    }, 250 \/** 250 milliseconds *\/);\r\n});<\/code><\/pre>\n<p>This assumes that the person will type at least 4 characters per second. Words per minute is standardized to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Words_per_minute\">5 characters<\/a>, this it works out to be 48 WPM. You can evaluate for yourself what <a href=\"https:\/\/www.keyhero.com\/free-typing-test\/\">48 WPM<\/a> is. To avoid triggering the same-page block, without a delay (via setTimeout), one would need to type of 96 WPM with an autocomplete AJAX callback. Feasible, but unlikely.<\/p>\n<h2 id=\"blocking-criteria\" >Blocking criteria<\/h2>\n<p>The following thresholds are in place to filter bot from human.<\/p>\n<p><strong>Same page<\/strong>: 4 pages in 1 second<br \/>\n<strong>Pages in total<\/strong>: 150 pages in 3 seconds<\/p>\n<p>Three blocks in 24 hours results in a seven day ban. Once a ban is in place, the only way to proceed forward is to open a ticket to remove the ban.<\/p>","protected":false},"excerpt":{"rendered":"<p>Overview All HTTP servers enforce a collection of HTTP rate-limiting to reduce abuse and achieve a high reliability. This system is built on a fork of mod_evasive,\u00a0which implements an interval-based bean counter, in other words it begins counting URI requests for a given duration once the first request is received&#8230;.<\/p>","protected":false},"author":1,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"footnotes":""},"ht-kb-category":[54],"ht-kb-tag":[],"class_list":["post-8839","ht_kb","type-ht_kb","status-publish","format-standard","hentry","ht_kb_category-web-content"],"_links":{"self":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb"}],"about":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/types\/ht_kb"}],"author":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/comments?post=8839"}],"version-history":[{"count":1,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8839\/revisions"}],"predecessor-version":[{"id":8840,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb\/8839\/revisions\/8840"}],"wp:attachment":[{"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/media?parent=8839"}],"wp:term":[{"taxonomy":"ht_kb_category","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-category?post=8839"},{"taxonomy":"ht_kb_tag","embeddable":true,"href":"https:\/\/kb.okra.host\/de\/wp-json\/wp\/v2\/ht-kb-tag?post=8839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}