API Password Reset Rate Limit


(Hosein Naseri) #1

I’m using api call to reset password of user. But I’m getting rate limit warning. What rate should I increase? Btw all of api calls are called from my server and I have white listed it. Isn’t it enough?


(Hosein Naseri) #2

I found the following template file : web.ratelimited.template.yml

It has a connection per ip parameter:
conn_per_ip: 20

And in the following lines there is:

       limit_conn_zone $binary_remote_addr zone=connperip:10m;

Can someone explain what does it mean? Does it mean the should be only 20 connections per ip in 10 mins? Should I change these?


(Eli the Bearded) #3

Those are directives for nginx:

http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html

I believe it is limiting it to 20 concurrent connections and allocating a max of 10 megabytes to store connections per IP address data for rate limiting.

The nginx rate limits will not be useful for figuring out an API rate limit. (I expect there is one, but have never looked for it.)


(Hosein Naseri) #4

In the admin panel there is a parameter called max user api reqs per day that I cant increase it more than 20000. I think I need more. What should I do?

Apart from this api rate limit, are there any other api rate limits that I should know?


(Sam Saffron) #5

Are you sure you are using the user api and not the standard api here?


(Hosein Naseri) #6

I think I found the problem. All of my api php files are inside my server and so the password reset api is called from my server. Then when someone hits the rate limit, in fact my server hits the rate limit and other ppl that want to reset their password would be also affected. Is there something I can do to prevent this? for example can I pass the actual ip with the api call?