I have rate limiting set up with HAProxy, and it works beautifully. I have it set up so that if an IP makes more than 15 requests within a sliding ten second window, a
429 response is returned on the 16th request. But I’m confused by a small thing: namely, why this doesn’t happen in other circumstances.
If, for example, I simulate a bunch of direct requests to the same url — e.g. domain.com/page1 — the rate limiting kicks in as it should after 15 requests, and returns a
429 thereafter. But I’ve noticed that if I do a single hard refresh on the same URL — e.g. domain.com/page1 — and my browser loads that page plus all of the related files (css, jpg, js, etc.) that it requires, this action does not generate any
429 responses, even if the total number of requests my IP has made within the sliding window exceeds the number I’ve specified.
This isn’t a problem. This is actually what I want to happen. But I’m interested in why it’s happening. Does HAProxy know the difference between being asked for a URL and the consequences of that URL having been requested? Or do I have something wrong somewhere?