How can you set rate limit access to API using Iptables. Tried to set limit using port 80, but I don't want to set limit to the web access entirely. Is there a way to specified a subdomain rather than port. Example: set rate limit to api.example.com not example.com?
If there is no way to set rate limit by subdomain, what is the suggested rate limit access to port 80 without risking blocking a legitimate web user? One connection per second would be enough?
As the name suggests, iptables works with IP addresses. So if your api.example.com resolved to a different IP address than www.example.com then you could filter based on those IP addresses. If they both resolve to the same IP address, then you can't filter them separately.
One connection per second for legitimate users is still pretty low. When you download a page, don't forget that you also have to download all the .js, .css, .jpg, etc files and they'll all come from the same domain. With Keep-Alive that can reduce the number of connection requests, but you'll still have at least two, possibly up to six simultaneous request from the same user (depending on their browser and configuration).
If this really is important to you, then you should set up unique IP addresses for your two separate subdomains and filter on that. Personally, I think filtering at the apache level is more appropriate.