LosRateLimit is a php middleware to implement a rate limit.
First, the middleware will look for an X-Api-Key header to use as key. If not found, it will fallback to the remote IP.
Each one, has it's own limits (see configuration bellow).
Attention! This middleware does not validate the Api Key, you must add a middleware before this one to validate it.
- PHP >= 5.5
- Psr\HttpMessage
This middleware uses one of the pre-implemented storages:
- Apc (default)
- Array
- Aura Session
- File
- Zend Session
But you can implement your own, like a DB storage. Just implement the StorageInterface.
php composer.phar require los/los-rate-limit
'los_rate_limit' => [
'max_requests' => 100,
'reset_time' => 3600,
'ip_max_requests' => 100,
'ip_reset_time' => 3600,
'api_header' => 'X-Api-Key',
'trust_forwarded' => false,
]
max_requests
How many requests are allowed before the reset time (using API Key)reset_time
After how many seconds the counter will be reset (using API Key)ip_max_requests
How many requests are allowed before the reset time (using remote IP Key)ip_reset_time
After how many seconds the counter will be reset (using remote IP Key)api_header
Header name to get the api key from.trust_forwarded
If the X-Forwarded (and similar) headers and be trusted. If not, only $_SERVER['REMOTE_ADDR'] will be used.
The values above indicate that the user can trigger 100 requests per hour.
If you want to disable ip access (e.g. allowing just access via X-Api-Key), just set ip_max_requests to 0 (zero).
Just add the middleware as one of the first in your application.
Add a new entry in the pre_routing key:
'middleware_pipeline' => [
'pre_routing' => [
[ 'middleware' => LosMiddleware\RateLimit\RateLimit::class ],
...
],
'post_routing' => [
...
],
],