docs(legal): merge rate limits (#5719)

* formatting title configuration

* merge policy and metrics

* raising limits, editorial

* Update docs/docs/legal/rate-limit-policy.md

Co-authored-by: Elio Bischof <elio@zitadel.com>

* Apply suggestions from code review

Co-authored-by: Elio Bischof <elio@zitadel.com>

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
This commit is contained in:
mffap 2023-04-21 15:21:05 +02:00 committed by GitHub
parent 5d6399da24
commit ebc140a234
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 10 deletions

View File

@ -27,9 +27,9 @@ More about the [scopes](/apis/openidoauth/scopes#reserved-scopes)
If you have an application that runs a dedicated domain for each customer you need to instruct ZITADEL to allow redirection for each domain specifically to safeguard against phishing attacks. If you have an application that runs a dedicated domain for each customer you need to instruct ZITADEL to allow redirection for each domain specifically to safeguard against phishing attacks.
Example: Example:
MyApplication: customer-a.app.com MyApplication: `customer-a.app.com`
ZITADEL Login: login.app.com ZITADEL Login: `login.app.com`
In the OIDC Authorization request you always have to send the redirect URI to where you like to be redirected after login. In the OIDC Authorization request you always have to send the redirect URI to where you like to be redirected after login.
To handle this scenario it is possible to register multiple URIs on each application in ZITADEL, the only criteria is that the requested URI has to match one of the registered URIs. To handle this scenario it is possible to register multiple URIs on each application in ZITADEL, the only criteria is that the requested URI has to match one of the registered URIs.

View File

@ -12,18 +12,32 @@ To ensure the availability of our Services and to avoid slow or failed requests
## How is the rate limit implemented ## How is the rate limit implemented
ZITADEL Clouds rate limit is built around a `IP` oriented model. Please be aware that we also utilize a service for DDoS mitigation. ZITADEL Clouds rate limit is built around a `IP` oriented model.
Please be aware that we also utilize a service for DDoS mitigation.
So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point. So if you simply change your `IP` address and run the same request again and again you might be get blocked at some point.
If you are blocked you will receive a `http status 429`. If you are blocked you will receive a `http status 429`.
:::tip :::tip Implement exponential backoff
You should consider to implement [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) into your application to prevent a blocking loop. You should consider to implement [exponential backoff](https://en.wikipedia.org/wiki/Exponential_backoff) into your application to prevent a blocking loop.
::: :::
:::info Raising limits
We understand that there are certain scenarios where your users access ZITADEL from shared IP Addresses.
For example if you use a corporate proxy or Network Address Translation NAT.
Please [get in touch](https://zitadel.com/contact) with us to discuss your requirements and we'll find a solution.
:::
## What rate limits do apply ## What rate limits do apply
For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each. Learn more about [the exact rules](/apis/ratelimits). For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register and reset features) and for API paths each.
Rate limits are implemented with the following rules:
| Path | Description | Rate Limiting | One Minute Banning |
|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------|
| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
## Load Testing ## Load Testing

View File

@ -420,10 +420,9 @@ module.exports = {
items: ["apis/observability/metrics", "apis/observability/health"], items: ["apis/observability/metrics", "apis/observability/health"],
}, },
{ {
type: "category", type: 'link',
label: "Rate Limits", label: 'Rate Limits (Cloud)', // The link label
collapsed: false, href: '/legal/rate-limit-policy', // The internal path
items: ["apis/ratelimits/ratelimits", "legal/rate-limit-policy"],
}, },
], ],
selfHosting: [ selfHosting: [