mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-07 22:58:02 +00:00
docs(legal): merge rate limits (#5719)
* formatting title configuration * merge policy and metrics * raising limits, editorial * Update docs/docs/legal/rate-limit-policy.md Co-authored-by: Elio Bischof <elio@zitadel.com> * Apply suggestions from code review Co-authored-by: Elio Bischof <elio@zitadel.com> --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
This commit is contained in:
parent
5d6399da24
commit
ebc140a234
@ -27,9 +27,9 @@ More about the [scopes](/apis/openidoauth/scopes#reserved-scopes)
|
|||||||
|
|
||||||
If you have an application that runs a dedicated domain for each customer you need to instruct ZITADEL to allow redirection for each domain specifically to safeguard against phishing attacks.
|
If you have an application that runs a dedicated domain for each customer you need to instruct ZITADEL to allow redirection for each domain specifically to safeguard against phishing attacks.
|
||||||
|
|
||||||
Example:
|
Example:
|
||||||
MyApplication: customer-a.app.com
|
MyApplication: `customer-a.app.com`
|
||||||
ZITADEL Login: login.app.com
|
ZITADEL Login: `login.app.com`
|
||||||
|
|
||||||
In the OIDC Authorization request you always have to send the redirect URI to where you like to be redirected after login.
|
In the OIDC Authorization request you always have to send the redirect URI to where you like to be redirected after login.
|
||||||
To handle this scenario it is possible to register multiple URIs on each application in ZITADEL, the only criteria is that the requested URI has to match one of the registered URIs.
|
To handle this scenario it is possible to register multiple URIs on each application in ZITADEL, the only criteria is that the requested URI has to match one of the registered URIs.
|
||||||
|
@ -12,18 +12,32 @@ To ensure the availability of our Services and to avoid slow or failed requests
|
|||||||
|
|
||||||
## How is the rate limit implemented
|
## How is the rate limit implemented
|
||||||
|
|
||||||
ZITADEL Clouds rate limit is built around a `IP` oriented model. Please be aware that we also utilize a service for DDoS mitigation.
|
ZITADEL Clouds rate limit is built around a `IP` oriented model.
|
||||||
|
Please be aware that we also utilize a service for DDoS mitigation.
|
||||||
So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point.
|
So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point.
|
||||||
|
|
||||||
If you are blocked you will receive a `http status 429`.
|
If you are blocked you will receive a `http status 429`.
|
||||||
|
|
||||||
:::tip
|
:::tip Implement exponential backoff
|
||||||
You should consider to implement [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) into your application to prevent a blocking loop.
|
You should consider to implement [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) into your application to prevent a blocking loop.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
|
:::info Raising limits
|
||||||
|
We understand that there are certain scenarios where your users access ZITADEL from shared IP Addresses.
|
||||||
|
For example if you use a corporate proxy or Network Address Translation NAT.
|
||||||
|
Please [get in touch](https://zitadel.com/contact) with us to discuss your requirements and we'll find a solution.
|
||||||
|
:::
|
||||||
|
|
||||||
## What rate limits do apply
|
## What rate limits do apply
|
||||||
|
|
||||||
For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each. Learn more about [the exact rules](/apis/ratelimits).
|
For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each.
|
||||||
|
|
||||||
|
Rate limits are implemented with the following rules:
|
||||||
|
|
||||||
|
| Path | Description | Rate Limiting | One Minute Banning |
|
||||||
|
|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------|
|
||||||
|
| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
|
||||||
|
| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
|
||||||
|
|
||||||
## Load Testing
|
## Load Testing
|
||||||
|
|
||||||
|
@ -420,10 +420,9 @@ module.exports = {
|
|||||||
items: ["apis/observability/metrics", "apis/observability/health"],
|
items: ["apis/observability/metrics", "apis/observability/health"],
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
type: "category",
|
type: 'link',
|
||||||
label: "Rate Limits",
|
label: 'Rate Limits (Cloud)', // The link label
|
||||||
collapsed: false,
|
href: '/legal/rate-limit-policy', // The internal path
|
||||||
items: ["apis/ratelimits/ratelimits", "legal/rate-limit-policy"],
|
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
selfHosting: [
|
selfHosting: [
|
||||||
|
Loading…
x
Reference in New Issue
Block a user