ContextQMD
Back to Authelia

Server Endpoint Rate Limits

docs/content/configuration/miscellaneous/server-endpoint-rate-limits.md

4.39.164.1 KB
Original Source

Authelia imposes default rate limits on specific endpoints which can prevent faulty clients or bad actors from consuming too many resources or using brute-force to potentially compromise security. This should not be confused with Regulation which is used to silently ban users from using the username / password form.

Configuration

{{< config-alert-example >}}

yaml
server:
  endpoints:
    rate_limits:
      reset_password_start:
        enable: true
        buckets:
          - period: '10 minutes'
            requests: 5
          - period: '15 minutes'
            requests: 10
          - period: '30 minutes'
            requests: 15
      reset_password_finish:
        enable: true
        buckets:
          - period: '1 minute'
            requests: 10
          - period: '2 minutes'
            requests: 15
      second_factor_totp:
        enable: true
        buckets:
          - period: '1 minute'
            requests: 30
          - period: '2 minutes'
            requests: 40
          - period: '10 minutes'
            requests: 50
      second_factor_duo:
        enable: true
        buckets:
          - period: '1 minute'
            requests: 10
          - period: '2 minutes'
            requests: 15
      session_elevation_start:
        enable: true
        buckets:
          - period: '5 minutes'
            requests: 3
          - period: '10 minutes'
            requests: 5
          - period: '1 hour'
            requests: 15
      session_elevation_finish:
        enable: true
        buckets:
          - period: '10 minutes'
            requests: 3
          - period: '20 minutes'
            requests: 5
          - period: '1 hour'
            requests: 15

Common Options

enable

{{< confkey type="boolean" default="true" required="no" >}}

Enables the given rate limit configuration. These are enabled by default.

buckets

{{< confkey type="list(object)" required="no" >}}

The list of individual buckets to consider for each request.

period

{{< confkey type="string,integer" syntax="duration" required="situational">}}

Configures the period of time the tokenized bucket applies to.

Required if the buckets have a configuration and enable is true.

requests

{{< confkey type="integer" required="situational">}}

Configures the number of requests the tokenized bucket applies to.

Required if the buckets have a configuration and enable is true.

Options

reset_password_start

Configures the rate limiter which applies to the endpoint that initializes the reset password flow.

See Common Options for the individual options for this section.

reset_password_finish

Configures the rate limiter which applies to endpoints which consume tokens for the reset password flow.

See Common Options for the individual options for this section.

second_factor_totp

Configures the rate limiter which applies to the TOTP endpoint code submissions for the second factor flow.

See Common Options for the individual options for this section.

second_factor_duo

Configures the rate limiter which applies to the Duo / Mobile Push endpoint which initializes the application authorization flow for the second factor flow.

See Common Options for the individual options for this section.

session_elevation_start

Configures the rate limiter which applies to the Elevated Session endpoint which initializes the code generation and notification for the elevated session flow.

See Common Options for the individual options for this section.

session_elevation_finish

Configures the rate limiter which applies to the Elevated Session endpoint which consumes the code for the elevated session flow.

See Common Options for the individual options for this section.