Rate limit
You may want to limit number of tries per user/IP in a short time (especially with sms option). If you enable this, defaults are 2 tries per login and per minute, and same for IP address:
$use_ratelimit = true;
Tip
rate limit feature use temporary files. So if you enable it, self-service-password is not a stateless service any more. If you have multiple instances of self-service-password, you can set up a sticky-sessions system on your high-availability equipment.
Other possible options for rate limiting:
$ratelimit_dbdir = '/tmp';
$max_attempts_per_user = 2;
$max_attempts_per_ip = 2;
$max_attempts_block_seconds = "60";
$client_ip_header = 'REMOTE_ADDR';
You may want to control rate_limit by IP.
To do so you have to specify full local path of file containing json of IP and expected behavior.
By default $ratelimit_filter_by_ip_jsonfile
is empty, no exclusion is applied.
$ratelimit_filter_by_ip_jsonfile = '/var/www/conf/rrl_filter_by_ip.json';
Example of rrl_filter_by_ip.json
file :
{
"127.0.0.1":{"per_time":"infinite"},
"172.28.0.1":{"max_per_ip":"infinite","max_per_user":30}
}
Values are integers, excepting for infinite
word where check for rate will be disabled.
If no value is given then default will be used:
max_per_ip
missing uses$max_attempts_per_ip
max_per_user
missing uses$max_attempts_per_user
per_time
missing uses$max_attempts_block_seconds
When per_time
is set to infinite
no check will be done when related IP is used.