# L7 Rate Limiting Protection configuration # Default path: /etc/imunify360-wafd/l7rate_limiter.yml enabled: false # Where "rate limit exceeded" events are logged. When on, each exceeded # request is written to wafd-access.log (the request journal that also # records splash-screen activity). # When off, it is written to imunify360-wafd.log with debug level # (i.e. not visible by default). # Required. Values: on, off log_events: on # Default limits applied when no rule matches. # All fields are required when the feature is enabled. defaults: limit: 300 # max requests in timeframe; suffixes: k (x1000), m (x1000000) timeframe: 1m # Go duration format: 30s, 1m, 8h, etc. action: splash # continue, allow, deny, splash # Memory cache settings. Controls the in-memory sliding window counter cache. # All fields are required when the feature is enabled. memcache: max_items: 100k # Maximum entries in the cache # Suffixes: k (x1000), m (x1000000) max_age: 10h # Evict entries older than this with zero counts # Go duration format: 30s, 1m, 8h, etc. flush_period: 2s # How often to flush dirty entries to disk on_overflow: continue # Action when max_items exceeded # Values: continue, allow, deny, splash storage_dir: /var/cache/imunify360/wafd # Directory for persistent storage (must exist) # Rules are evaluated top-to-bottom. First match wins (nftables-style). # Each rule can match on IPs, domains, or both (AND logic). # Omitted limit/timeframe/action values are inherited from defaults. # # Counting: each rule keeps one counter per client IP. The domain matcher # controls which requests hit the rule, but all matching domains share the # same counter. For example, a limit of 100 on "*.example.com" allows # 100 requests total across sub1, sub2, … from a single IP — not 100 per # subdomain. To enforce separate limits per domain, create separate rules. rules: [] # Examples: # # - name: ip burst # limit: 60 # timeframe: 30s # action: deny # ips: # - 1.2.3.4 # - 42.42.42.0/24 # - 2606:4700::6812:1b78 # # - name: domain burst # limit: 60 # timeframe: 30s # domains: # - usefulsite.com # - "*.example.com" # # - name: combined admin protection # limit: 10 # timeframe: 1m # action: deny # ips: # - 192.168.0.0/16 # domains: # - admin.example.com # # - name: external ip list # limit: 1000 # timeframe: 8h # include: /etc/imunify360-wafd/l7prot-ips.conf # # - name: external domain list # include: /etc/imunify360-wafd/l7prot-domains.conf