API Limiter

API Limiter Plugin for Azuriom

🛡️ API Limiter Plugin for Azuriom

English version | Русская версия

🇺🇸 English Version

Powerful and flexible API rate limiting plugin for Azuriom CMS with advanced configuration and monitoring capabilities.

🚀 Features

🔧 Core Functionality:

  • Global API Rate Limiting - applies to all API endpoints
  • Flexible Route Rules - individual settings for each API
  • 7 Rule Types - from complete blocking to custom configurations
  • IP Whitelist - bypass limitations for trusted IPs
  • CIDR Support - support for IP ranges (192.168.1.0/24)
  • Two Limiting Modes - by IP address or by user

📊 Monitoring and Logging:

  • Detailed Logging - complete history of API requests
  • Web Log Interface - view, filter and search in admin panel
  • Auto Log Cleanup - 12 periods from 1 hour to 1 year
  • Coverage Statistics - analysis of API route protection

🛡️ Security and Reliability:

  • Update Protection - fallback modes during Azuriom failures
  • Automatic Recovery - self-diagnosis and repair
  • Settings Caching - high performance
  • Easy Installation - standard Azuriom plugin installation

⚙️ Configuration

After installation, go to admin panel: Admin Panel → API Limiter

🎛️ Main Settings:

  • Enable Rate Limiting - global enable/disable
  • Requests per Minute - maximum requests count (1-10000)
  • Limit By - choice between IP address or user
  • Whitelisted IPs - whitelist for bypassing limitations
  • Enable Logging - record all API requests to logs
  • Auto Log Cleanup - log retention period (1 hour - 1 year)

📋 Route Management:

  • API Routes - view all discovered API endpoints
  • Route Rules - individual settings for each API
  • Coverage Statistics - analysis of API route protection

📊 Monitoring:

  • Request Logs - view, filter and analyze API requests
  • Route Filtering - select logs by specific endpoints
  • Request Status - ✅ Allowed / ❌ Blocked

Default Settings:

Enabled: Yes
Requests per Minute: 60
Limit By: IP address
Whitelist: 127.0.0.1, ::1
Logging: Enabled
Auto Cleanup: 2 weeks

🔧 Route Rule Types

📋 Available Rules:

  1. ✅ No Restrictions (no_restrictions) - full access without limits
  2. 🚦 Rate Limiting (rate_limit) - standard limit from global settings
  3. 🚦 Rate Limiting (Custom) (rate_limit_custom) - individual limit for route
  4. 🔒 Whitelist Only (whitelist_only) - access only for general whitelist
  5. 🔒 Whitelist (Custom) (whitelist_custom) - access only for custom whitelist
  6. 🚦🔒 Rate Limit + Whitelist (rate_limit_and_whitelist_custom) - Individual limits + individual whitelist passes without restrictions.
  7. 🚦🔒 Whitelist + Rate Limit (Custom) (whitelist_and_rate_limit_custom) - Only whitelisted IPs are allowed, but with individual rate limits.
  8. 🚫 Restricted (restricted) - block all requests

🔧 Whitelist Configuration

Supported Formats:

  • Single IP: 192.168.1.100
  • CIDR Range: 192.168.1.0/24
  • IPv6: ::1, 2001:db8::/32
  • Multiple IPs: 127.0.0.1, 192.168.1.1, 10.0.0.0/8

Usage Examples:

# Local addresses
127.0.0.1, ::1

# Internal network
192.168.0.0/16, 10.0.0.0/8

# Specific servers
203.0.113.1, 203.0.113.2

# Mixed format
127.0.0.1, 192.168.1.0/24, 203.0.113.1

🚫 Rate Limit Exceeded Response

When rate limit is exceeded, API returns HTTP 429:

HTTP/1.1 429 Too Many Requests
Content-Type: application/json

{
    "message": "Too Many Requests"
}

📝 Logging

📊 Web Log Interface

All API requests are recorded in separate logs and available through admin panel: Admin Panel → API Limiter → Request Logs

Features:

  • 🔍 Search by IP, route, URI
  • 📅 Date filtering
  • 🎯 Status filter (Allowed/Blocked)
  • 🛣️ Route filter
  • 📄 Pagination (50 records per page)
  • 💾 Download logs
  • 🗑️ Clear logs

📋 Log Format

Compact single-line format with milliseconds in storage/logs/api-limiter-YYYY-MM-DD.log files:

[2025-01-20 10:30:00.123] local.INFO: API Request {
    "ip": "192.168.1.100",
    "method": "POST", 
    "route": "api.auth.authenticate",
    "uri": "/api/auth/authenticate",
    "status": "allowed",
    "reason": "Whitelist IP"
}

⚙️ Logging Settings

  • Enable Logging - completely disable log recording
  • Auto Cleanup - automatic deletion of old logs
  • 12 Periods - from 1 hour to 1 year

🔄 Limiting Modes

By IP Address (default)

  • Limit applies to each IP address separately
  • Suitable for public APIs
  • Protects against DDoS attacks

By User

  • Limit applies to each authenticated user
  • For unauthenticated requests, IP is used
  • Suitable for personalized APIs

🛠️ Administration

🎛️ Control Panel

  • Settings - global limitation parameters
  • API Routes - overview of all discovered endpoints
  • Route Rules - individual settings for each API
  • Request Logs - monitoring and traffic analysis

🧹 Maintenance

  • Clear Limits - reset all request counters
  • Clear Logs - delete log files
  • Automatic Cleanup - configurable auto-cleanup of logs

📊 Statistics

  • Protection Coverage - percentage of protected API routes
  • Active Rules - number of configured rules
  • Discovered Plugins - automatic API detection

🔌 Automatic API Discovery

Plugin automatically scans and applies to all API routes:

🎯 Automatic Discovery:

Plugin automatically discovers ALL API routes in the system by scanning Laravel Route Collection:

  • Azuriom Core API - built-in endpoints (/api/auth/*, /api/posts, /api/servers)
  • Installed Plugins - automatically detects by namespace (Azuriom\Plugin\PluginName\*)
  • Custom APIs - any routes starting with api/
  • Admin APIs - administrative endpoints with api in path

Examples of discovered plugins:

  • SkinApi - skins and avatars API
  • Shop - payment notification API
  • Vote - voting callback API
  • AuthMe - AuthMe integration
  • ApiLimiter - own testing endpoints
  • Any other plugins with API routes

🔍 Automatic Categorization:

  • Core - Azuriom endpoints (Azuriom\Http\Controllers\Api\*)
  • Plugin - plugin endpoints (Azuriom\Plugin\PluginName\*)
  • Unknown - unidentified sources (treated as Core)

⚡ Performance

  • Settings Caching - settings cached for 1 hour
  • Optimized Queries - minimal performance impact
  • Laravel Rate Limiter - uses built-in Laravel mechanisms
  • Separate Logs - doesn't clutter main Laravel logs
  • Compact Logging - single-line record format

🔒 Security

🛡️ Attack Protection:

  • DDoS Protection - prevents API attacks
  • Brute Force Protection - limits authentication attempts
  • Fair Usage - equal access for all users

🔐 Additional Security:

  • Admin Protection - requires api-limiter.manage permission
  • Settings Validation - configuration correctness check
  • Safe Defaults - conservative default settings

🛠️ Update Resilience:

  • Fallback Modes - 4 degradation levels during failures
  • Automatic Recovery - self-diagnosis and repair
  • Emergency Mode - pass all requests during critical failures

📋 Requirements

  • Azuriom CMS 1.2.0+
  • PHP 8.1+
  • Laravel 9.0+

🆘 Support

If you encounter issues:

  1. Check Laravel logs in storage/logs/
  2. Make sure the plugin is activated
  3. Check settings in admin panel
  4. Clear cache: php artisan cache:clear

📄 License

MIT License - free use and modification.

The plugin was generated using the claude-4-sonnet model in the Cursor IDE in about 200 requests

🇷🇺 Русская версия

GitHub

Created for the Azuriom Community 🚀

Download

Information

  • Author: Aspirchik
  • Type: Plugin
  • Version: 1.0.0
  • Downloads: 2
  • Released: June 21, 2025 at 1:04 PM
  • Updated: June 22, 2025 at 4:10 PM
Support GitHub