How to limit requests per hour from one IP like it is in Twitter? For example, I want to provide 100 requests per hour. Is there any solution? Apache modules? Thanks.
+2
A:
Start simple.
- Use the concept of API keys(Lets say its a guid mapped to a domain or an account).
- Every time your API is hit take that key and increment its corresponding counter.
- Write rules to limit based on your counter(in this case hours)
- Reset.
Blocking by IP is not advisable.NAT being the problem
Cherian
2009-03-26 07:23:56
A:
Don't do it by IP. People from a whole university, company or internet cafe may share the same IP. It's best if you inject a cookie with random value to the first http response for each client in order to identify uniqueness.
cherouvim
2009-03-26 07:27:49
Easy to circumvent however.
Sam152
2009-03-26 08:27:06
@Sam152: the uniqueness by cookie? Definitely. Do you know any other means of ensuring user uniqueness?
cherouvim
2009-03-26 10:45:27
I don't want to enter limits for all users and all pages but only for specific API pages (xml, json and so on). I mean, only bots will access such pages. I guess it's too difficult for human to read plain XML or JSON. ;-) Thanks for answer!
floatless
2009-03-27 05:38:41
IP limiting is the most reliable way to identify users, and blacklist them if need be. However, you should implement "whitelisting" as Twitter does, so that universities etc. that share an IP can still have access with reasonable limits.
pop850
2010-08-02 01:15:25