Pack Hosting Panel

Rate limit requests

How do you ensure that your application is not bombarded with requests from the same bots / visitors.

It is very common that your application is bombarded with requests from the same IP address. Because your php-fpm processes will quickly run out, regular visits are not possible anymore.

By simply limiting the number of PHP requests per IP, you'll solve many of these problems. You can set the rate limiting with the hipex command exactly how you’d like!

How it works

With rate limiting, you limit the number of requests per minute from one IP. Next to the initial request, many pages contain additional ajax requests. Those requests will come in as a burst.

With the rate limit command, you can limit how many requests per path prefix, full request path or regex are allowed per minute and how many come in as bursts.

The limitations will be saved in the domain configuration folder in these files:

  • ~/domains/<domain>/var/etc/rate-limit.nginx.conf
  • ~/domains/<domain>/var/etc/scope-http/rate-limit.nginx.conf

Limiting with burst

To limit the number of PHP requests to 5 per minute, you can use the following command:

hipex security:ratelimit 5

The visitor can execute 1 request every 12 seconds that'll end up in PHP. Add a burst to it and the visitor is allowed to make 1 request per 12 seconds, or 5 at the same time and then a block for 1 minute

hipex security:ratelimit 5 --burst=5

Specific paths

To block the request on the admin for 1 per minute, add the path for the admin part

hipex security:ratelimit 1 /<management>/admin/index/index

( has to be changed to your specific admin url).

Or just for the skin & media so that the visitor can quickly download all static content.

hipex security:ratelimit 1000 /media

Prefix, full path and regex

All paths will be seen as prefix by default, however it is also possible to specify paths as a regex:

hipex security:ratelimit 1000 '/(media|skin)' --path-type=regex

Or as an absolute path:

hipex security:ratelimit 1000 /checkout/cart/add --path-type=exact


If you want to see which limitations are active, you can run the command without arguments.

hipex security:ratelimit

| Path      | Path Type | Frequency | Burst |
| php       | prefix    | 1r/m      | 20    |
| /somepath | prefix    | 1r/m      | 2     |

You can remove a line with the option --remove.

hipex security:ratelimit 2 /somepath --remove


Of course, the option --help is implemented, so you can view all options and possibilities of the command:

hipex security:ratelimit --help