2

When requesting, POST form with userID is already required, so if I can log the userID of the POST form, I think there would be a way to limit to n times(I think 3 time per hour is good for me) of access to that UserID for an hour. (It means userID "A" can only access 3 times in one hour, and userID "B" can also access 3 times in one hour, .....)

But that, I couldn't find how to do it..

What does it does is just Proxys the request to serve other service - now only using ProxyPass on apache2, so it needs to be configured inside apache2 config (I think).

Is there a way to do it?

SJang
  • 21
  • 1

2 Answers2

0

Not at the web server level, you need to do that at the application level; i.e. after the POST the application should tell the user something like "you made too many requests in too little time, please try again later".

AFAIK, the Apache web server (but this is true for IIS too) can only throttle requests using HTTP parameters (such as the web site or URL) or network parameters (such as the source IP address or bandwidth usage).

(Please correct me if I'm wrong, I'm not an Apache expert.)

Massimo
  • 70,200
  • 57
  • 200
  • 323
0

Take a look at this mod_security use case that can use cookies or uri content so you can likely extract POST data too. Or just grab their IP and use that as anyone can type a different username in a form to get around it.

Koffee
  • 86
  • 7
  • I couldn't use IP.. :( so sad.. many users can be in one same IP address in my case. – SJang Jan 08 '21 at 19:48
  • Use mod_security audit engine to capture all POST data in that case, isolate the userID, then pass it to a SecRule Variable – Koffee Jan 08 '21 at 19:55