I want to rate limit users connecting to wp-login.php
with method POST
.
The website is behind Cloudflare so, to get the source IP, I need to hdr(CF-Connecting-IP)
.
I want to create a stick table that increments connections and denies the request if more than 3 in less than 20 seconds.
# create a stick table that monitors for 20 seconds
stick-table type ip size 1m expire 20s store http_req_rate(20s)
# tracks requests using cloudflare connecting ip
http-request track-sc0 hdr(CF-Connecting-IP)
# conditions on where to listen
acl monitored_url path_beg -i /wp-login.php
acl is_post method POST
# increment counter if conditions are met
http-request sc-inc-gpc0(0) if monitored_url is_post
# deny if user has tried to login more than 3 times in last 20 seconds
http-request deny if { sc_get_gpc0(0) gt 3 }
Compiles, but doesn’t deny anyone. Can’t find the error.
Any idea? Thanks!