sftpgo-mirror/docs/rate-limiting.md

# Rate limiting

Rate limiting allows to control the number of requests going to the SFTPGo services.

SFTPGo implements a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) initially full and refilled at the configured rate. The `burst` configuration parameter defines the size of the bucket. The rate is defined by dividing `average` by `period`, so for a rate below 1 req/s, one needs to define a period larger than a second.

Requests that exceed the configured limit will be delayed or denied if they exceed the maximum delay time.

SFTPGo allows to define per-protocol rate limiters so you can have different configurations for different protocols.

The supported protocols are:

- `SSH`, includes SFTP and SSH commands
- `FTP`, includes FTP, FTPES, FTPS
- `DAV`, WebDAV
- `HTTP`, REST API and web admin

You can also define two types of rate limiters:

- global, it is independent from the source host and therefore define an aggregate limit for the configured protocol/s
- per-host, this type of rate limiter can be connected to the built-in [defender](./defender.md) and generate `score_limit_exceeded` events and thus hosts that repeatedly exceed the configured limit can be automatically blocked

If you configure a per-host rate limiter, SFTPGo will keep a rate limiter in memory for each host that connects to the service, you can limit the memory usage using the `entries_soft_limit` and `entries_hard_limit` configuration keys.

You can exclude a list of IP addresses and IP ranges from rate limiters by adding them to rate limites allow list using the WebAdmin UI or the REST API. In multi-nodes setups, the list entries propagation between nodes may take some minutes.

You can defines how many rate limiters as you want, but keep in mind that if you defines multiple rate limiters each request will be checked against all the configured limiters and so it can potentially be delayed multiple times. Let's clarify with an example, here is a configuration that defines a global rate limiter and a per-host rate limiter for the FTP protocol:

```json
"rate_limiters": [
    {
      "average": 100,
      "period": 1000,
      "burst": 1,
      "type": 1,
      "protocols": [
        "SSH",
        "FTP",
        "DAV",
        "HTTP"
      ],
      "generate_defender_events": false,
      "entries_soft_limit": 100,
      "entries_hard_limit": 150
    },
    {
      "average": 10,
      "period": 1000,
      "burst": 1,
      "type": 2,
      "protocols": [
        "FTP"
      ],
      "allow_list": [],
      "generate_defender_events": true,
      "entries_soft_limit": 100,
      "entries_hard_limit": 150
    }
]
```

we have a global rate limiter that limit the aggregate rate for the all the services to 100 req/s and an additional rate limiter that limits the `FTP` protocol to 10 req/s per host.
With this configuration, when a client connects via FTP it will be limited first by the global rate limiter and then by the per host rate limiter.
Clients connecting via SFTP/WebDAV will be checked only against the global rate limiter.
add rate limiting support 2021-04-18 10:31:06 +00:00			`# Rate limiting`

add rate limiting support for REST API/web admin too 2021-04-19 06:14:04 +00:00			`Rate limiting allows to control the number of requests going to the SFTPGo services.`
add rate limiting support 2021-04-18 10:31:06 +00:00
			SFTPGo implements a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) initially full and refilled at the configured rate. The `burst` configuration parameter defines the size of the bucket. The rate is defined by dividing `average` by `period`, so for a rate below 1 req/s, one needs to define a period larger than a second.

			`Requests that exceed the configured limit will be delayed or denied if they exceed the maximum delay time.`

			`SFTPGo allows to define per-protocol rate limiters so you can have different configurations for different protocols.`

add rate limiting support for REST API/web admin too 2021-04-19 06:14:04 +00:00			`The supported protocols are:`

			- `SSH`, includes SFTP and SSH commands
			- `FTP`, includes FTP, FTPES, FTPS
			- `DAV`, WebDAV
			- `HTTP`, REST API and web admin

add rate limiting support 2021-04-18 10:31:06 +00:00			`You can also define two types of rate limiters:`

add rate limiting support for REST API/web admin too 2021-04-19 06:14:04 +00:00			`- global, it is independent from the source host and therefore define an aggregate limit for the configured protocol/s`
allow to limit the number of per-host connections 2021-05-08 17:45:21 +00:00			- per-host, this type of rate limiter can be connected to the built-in [defender](./defender.md) and generate `score_limit_exceeded` events and thus hosts that repeatedly exceed the configured limit can be automatically blocked
add rate limiting support 2021-04-18 10:31:06 +00:00
			If you configure a per-host rate limiter, SFTPGo will keep a rate limiter in memory for each host that connects to the service, you can limit the memory usage using the `entries_soft_limit` and `entries_hard_limit` configuration keys.

move IP/Network lists to the data provider this is a backward incompatible change, all previous file based IP/network lists will not work anymore Signed-off-by: Nicola Murino <nicola.murino@gmail.com> 2023-02-09 08:33:33 +00:00			`You can exclude a list of IP addresses and IP ranges from rate limiters by adding them to rate limites allow list using the WebAdmin UI or the REST API. In multi-nodes setups, the list entries propagation between nodes may take some minutes.`
rate limiting: allow to exclude IP addresses/ranges Fixes #563 2021-10-03 18:50:05 +00:00
add rate limiting support 2021-04-18 10:31:06 +00:00			`You can defines how many rate limiters as you want, but keep in mind that if you defines multiple rate limiters each request will be checked against all the configured limiters and so it can potentially be delayed multiple times. Let's clarify with an example, here is a configuration that defines a global rate limiter and a per-host rate limiter for the FTP protocol:`

			```json
			`"rate_limiters": [`
			`{`
			`"average": 100,`
			`"period": 1000,`
			`"burst": 1,`
			`"type": 1,`
			`"protocols": [`
			`"SSH",`
			`"FTP",`
add rate limiting support for REST API/web admin too 2021-04-19 06:14:04 +00:00			`"DAV",`
			`"HTTP"`
add rate limiting support 2021-04-18 10:31:06 +00:00			`],`
			`"generate_defender_events": false,`
			`"entries_soft_limit": 100,`
			`"entries_hard_limit": 150`
			`},`
			`{`
			`"average": 10,`
			`"period": 1000,`
			`"burst": 1,`
			`"type": 2,`
			`"protocols": [`
			`"FTP"`
			`],`
web UI/REST API: add password reset In order to reset the password from the admin/client user interface, an SMTP configuration must be added and the user/admin must have an email address. You can prohibit the reset functionality on a per-user basis by using a specific restriction. Fixes #597 2021-11-13 12:25:43 +00:00			`"allow_list": [],`
add rate limiting support 2021-04-18 10:31:06 +00:00			`"generate_defender_events": true,`
			`"entries_soft_limit": 100,`
			`"entries_hard_limit": 150`
			`}`
			`]`
			```

add rate limiting support for REST API/web admin too 2021-04-19 06:14:04 +00:00			we have a global rate limiter that limit the aggregate rate for the all the services to 100 req/s and an additional rate limiter that limits the `FTP` protocol to 10 req/s per host.
add rate limiting support 2021-04-18 10:31:06 +00:00			`With this configuration, when a client connects via FTP it will be limited first by the global rate limiter and then by the per host rate limiter.`
			`Clients connecting via SFTP/WebDAV will be checked only against the global rate limiter.`