====== Rate Limiting ======

===== General =====

Rate limiting can be used to limit the number of requests allowed e.g. within a given time window.

Beginning with version 10.0 VuFind® has integrated support for rate limiting of requests. The system allows one to provide generic rate limits per IP address or user (for logged-in users), and there's a lot of flexibility in defining separate rates for different actions, IP ranges, bots etc. 

Rate limiting is configured via [[https://github.com/vufind-org/vufind/blob/dev/config/vufind/RateLimiter.yaml|RateLimiter.yaml]], and it's disabled by default. It can be configured to enforce limits or just log them for setup validation. There's also a policy-specific toggle to allow testing a new policy without it taking effect immediately. RateLimiter.yaml contains comments explaining the different configuration options.

Note that VuFind's rate limiter does not govern requests that are handled by Apache without going through PHP. Typically these are requests for css files, images, fonts etc.

===== Storage =====

Rate limiting needs a storage for the state information. Typically this would be a Memcached or Redis instance, so either one is required for proper setup. While the code allows one to use VuFind's file-based cache as well, it's only for testing purposes and is not supported for normal operation.

===== Policies ======

Rate limiter uses the Symfony Rate Limiter under the hood. Symfony's [[https://symfony.com/doc/current/rate_limiter.html|documentation]] provides an introduction to the available policies and describes the options for their configuration. Only the policy-specific part of the configuration applies to VuFind. Other bits are specific to Symfony framework.

The examples in the default RateLimiter.yaml are just that, and you will need to figure out suitable rates for different functions. You could consider e.g. a catch-all policy to provide a generic rate limit while adding stricter limits for some functions such as search, login or API access.