A simple mod security config for IP Rate limiting Apache server behind a load balancer.

modsec-ratelimit.conf

# assumes libapache2-modsecurity is installed

# Reference Mannual - https://github.com/SpiderLabs/ModSecurity/wiki

SecRuleEngine On

<LocationMatch "^/.*">
  # initialise the state based on X-Forwarded-For ip address
  SecRule REQUEST_HEADERS:X-Forwarded-For "@unconditionalMatch" "phase:2,initcol:ip=%{MATCHED_VAR},pass,nolog,id:100"

  # if greater then burst_rate_limit then pause set RATELIMITED var and then return 503
  SecRule IP:ACCESS_COUNT "@gt {{ burst_rate_limit }}" "phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:102"

  # if above rule doesnt match increment the count
  SecAction "phase:2,setvar:ip.access_count=+1,pass,nolog,id:103"

  # set the base rate to one per second
  SecAction "phase:5,deprecatevar:ip.access_count=1/1,pass,nolog,id:104"

  # set a header when ratelimited
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 503 "Service Unavailable"

Hey, just wanted to let you know that I tried similar things and this does not look correct at first glance. You are using "pause" and "deny" in the same Rule. AFAIK you can't use multiple disruptive actions in the same rule. (see for example owasp-modsecurity/ModSecurity#445)

@jmroth I just implemented this kind of rule and having deny and pause:300 in the same rule actually does appear to work just fine, I'm seeing 401s in the log and when I tested this earlier the delay was actually kicking in too.

Rule isn't working due to error ModSecurity: Could not set variable "ip.access_count" as the collection does not exist.