Rate limit
You may want to limit number of tries per user/IP in a short time (especially with sms option). If you enable this, defaults are 2 tries per login and per minute, and same for IP address:
$use_ratelimit = true;
Tip
rate limit feature use temporary files. So if you enable it, self-service-password is not a stateless service any more. If you have multiple instances of self-service-password, you can set up a sticky-sessions system on your high-availability equipment.
Other possible options for rate limiting:
$ratelimit_dbdir = '/tmp';
$max_attempts_per_user = 2;
$max_attempts_per_ip = 2;
$max_attempts_block_seconds = "60";
$client_ip_header = 'REMOTE_ADDR';
You may want to control rate_limit by IP.
To do so you have to specify full local path of file containing json of IP and expected behavior.
By default $ratelimit_filter_by_ip_jsonfile is empty, no exclusion is applied.
$ratelimit_filter_by_ip_jsonfile = '/var/www/conf/rrl_filter_by_ip.json';
Example of rrl_filter_by_ip.json file :
{
"127.0.0.1":{"per_time":"infinite"},
"172.28.0.1":{"max_per_ip":"infinite","max_per_user":30}
}
Values are integers, excepting for infinite word where check for rate will be disabled.
If no value is given then default will be used:
max_per_ipmissing uses$max_attempts_per_ipmax_per_usermissing uses$max_attempts_per_userper_timemissing uses$max_attempts_block_seconds
When per_time is set to infinite no check will be done when related IP is used.