Rate Limiting#
PosternProxy can cap the number of requests a single IP address can make to a proxy host within a sliding time window. Rate limiting is configured on the Security tab.
How it works#
Rate limiting is implemented via the caddy-ratelimit Caddy plugin, which is included in the PosternProxy Caddy build.
When a client exceeds the limit, Caddy returns a 429 Too Many Requests response. The limit resets on a sliding window basis — it is not a hard per-minute bucket.
Configuration#
Enable the Rate Limit toggle on the Security tab, then set:
| Field | Description |
|---|---|
| Requests | Maximum number of requests allowed per window |
| Window | Duration of the sliding window (e.g. 60s, 1m, 5m) |
The rate limit is keyed per client IP address. Shared NAT addresses will share the same bucket.
Example#
To allow a maximum of 100 requests per minute per IP:
- Requests:
100 - Window:
60s
Notes#
- Rate limiting applies to all requests to the proxy host, including static assets. Consider setting a high limit for asset-heavy applications.
- The management UI (
/apiendpoints) has its own separate built-in rate limits (120 req/min per IP on authenticated routes, 5 login attempts/min per IP) that are not configurable here. - To completely block certain IP ranges rather than rate-limit them, use an access list instead.
- Rate limiting state is in-memory and does not persist across Caddy restarts.