Request Rate Limiting
Mango is capable of limiting the number of requests per period of time to protect against Denial of Service style attacks. The following settings are available via the env.properties file. The limiting algorithm works by allowing an initial burst of requests and then limits to a number of requests in the configured period of time. So for example a burstQuantity of 10 and quantity of 2 for 1 Second will limit the specific requester to 10 requests in the first second and 2 per second for every second thereafter.
REST API Limits
REST API limiting is enabled by default for anonymous users.
rateLimit.rest.anonymous.enabled=true
rateLimit.rest.anonymous.burstQuantity=10
rateLimit.rest.anonymous.quanitity=2
rateLimit.rest.anonymous.period=1
rateLimit.rest.anonymous.periodUnit=SECONDS
REST API limiting is disabled by default for authenticated users.
rateLimit.rest.user.enabled=false
rateLimit.rest.user.burstQuantity=20
rateLimit.rest.user.quanitity=10
rateLimit.rest.user.period=1
rateLimit.rest.user.periodUnit=SECONDS
Authentication Limits
All authentication attempts are rate limited and enabled by default. There are 2 types of limiting. First the limit per IP address, which limits all authentication attempts from a given IP address:
rateLimit.authentication.ip.enabled=true
rateLimit.authentication.ip.burstQuantity=5
rateLimit.authentication.ip.quanitity=1
rateLimit.authentication.ip.period=1
rateLimit.authentication.ip.periodUnit=MINUTES
Second is the Username limiting which occurs from any IP address against the same username. It is enabled by default and has the following settings:
rateLimit.authentication.user.enabled=true
rateLimit.authentication.user.burstQuantity=5
rateLimit.authentication.user.quanitity=1
rateLimit.authentication.user.period=1
rateLimit.authentication.user.periodUnit=MINUTES