I am using Caddy with the caddy-ratelimit module to set rate limits on wildcard subdomains (e.g., *.example.com). While the rate limiting works as expected for individual subdomains, it doesn't seem to apply across wildcard subdomains as intended.
Steps to Reproduce:
Set up rate limiting for a wildcard subdomain pattern like .example.com.
Make repeated requests (e.g., 10 times) to a subdomain like abc.example.com until hitting the rate limit and receiving a 429 Too Many Requests response.
After hitting the limit on abc.example.com, switch to another subdomain like abc1.example.com.
The new subdomain is treated as a fresh request, and no rate limit is applied initially for first request (first request always work).
Expected Behavior: The rate limit should be enforced across all wildcard subdomains under .example.com, not per individual subdomain. Once a user hits the rate limit on one subdomain, they should not be able to bypass it by switching to another subdomain.
Actual Behavior: The rate limit is being enforced only on individual subdomains. Once a user hits the limit on abc.example.com, they can bypass the limit by using a new subdomain such as abc1.example.com, which resets the rate limit for that subdomain.
mholt
commented
3 weeks ago
I am using Caddy with the caddy-ratelimit module to set rate limits on wildcard subdomains (e.g., *.example.com). While the rate limiting works as expected for individual subdomains, it doesn't seem to apply across wildcard subdomains as intended.
Steps to Reproduce:
Set up rate limiting for a wildcard subdomain pattern like .example.com. Make repeated requests (e.g., 10 times) to a subdomain like abc.example.com until hitting the rate limit and receiving a 429 Too Many Requests response. After hitting the limit on abc.example.com, switch to another subdomain like abc1.example.com. The new subdomain is treated as a fresh request, and no rate limit is applied initially for first request (first request always work). Expected Behavior: The rate limit should be enforced across all wildcard subdomains under .example.com, not per individual subdomain. Once a user hits the rate limit on one subdomain, they should not be able to bypass it by switching to another subdomain.
Actual Behavior: The rate limit is being enforced only on individual subdomains. Once a user hits the limit on abc.example.com, they can bypass the limit by using a new subdomain such as abc1.example.com, which resets the rate limit for that subdomain.