AF
Ash Framework5w ago
venir.dev

newb question: what's the actual use case of `ash_rate_limiter`?

Hello! Sorry, maybe I'm writing a dumb question, but here I go: isn't rate limiting a web concern, meaning something that belongs to the "plug and phoenix" layer? Therefore, what does ash have to do with it? Why wouldn't I just use hammer, plug it in, and call it a day? context: I just deployed a site, and I see in the logs bursts of malicious activities, e.g. 
2025-09-04 10:01:59.648    
08:01:59.647 request_id=GGIFj8OMo7k0gesAAAaR [info] Sent 404 in 152µs
2025-09-04 10:01:59.647    
08:01:59.647 request_id=GGIFj8OMo7k0gesAAAaR [info] GET //wp-includes/ID3/license.txt
2025-09-04 10:00:41.754    
08:00:41.753 request_id=GGIFfaC4YWlVLQcAAAaB [info] Sent 404 in 150µs
2025-09-04 10:00:41.754    
08:00:41.753 request_id=GGIFfaC4YWlVLQcAAAaB [info] GET /wp-admin/setup-config.php
2025-09-04 09:59:00.177    
07:59:00.176 request_id=GGIFZfo-JjCMdd0AAAZx [info] Sent 404 in 161µs
2025-09-04 09:59:00.176    
07:59:00.176 request_id=GGIFZfo-JjCMdd0AAAZx [info] GET /wordpress/wp-admin/setup-config.php
2025-09-04 10:01:59.648    
08:01:59.647 request_id=GGIFj8OMo7k0gesAAAaR [info] Sent 404 in 152µs
2025-09-04 10:01:59.647    
08:01:59.647 request_id=GGIFj8OMo7k0gesAAAaR [info] GET //wp-includes/ID3/license.txt
2025-09-04 10:00:41.754    
08:00:41.753 request_id=GGIFfaC4YWlVLQcAAAaB [info] Sent 404 in 150µs
2025-09-04 10:00:41.754    
08:00:41.753 request_id=GGIFfaC4YWlVLQcAAAaB [info] GET /wp-admin/setup-config.php
2025-09-04 09:59:00.177    
07:59:00.176 request_id=GGIFZfo-JjCMdd0AAAZx [info] Sent 404 in 161µs
2025-09-04 09:59:00.176    
07:59:00.176 request_id=GGIFZfo-JjCMdd0AAAZx [info] GET /wordpress/wp-admin/setup-config.php
So I searched for a rate-limiter and ash_rate_limiter popped up.
1 Reply
venir.dev
venir.devOP5w ago
Ok, I'll answer myself on this one, as post-mortem, I'll write down what I've learned today: 1. rate limiting can to refer to a resource, not just an endpoint; AFAIK one could rate limit an ash resource, and having a ready-made ash plugin to do that is great 2. rate limiting can also be applied to endpoints, or maybe the whole web application. this can be a good initial and "general" strategy, to exclude obvious attacks or unintnended uses of the web app 3. the above problem (bots hitting wordpress endpoints searching for vulnerabilities) isn't solvable by rate limiting, as the server then answer anyways (429 instead of 404, possibly placing an overhead on the server) I'll mark the above message as "solution" once someone confirms or denies my claims (:

Did you find this page helpful?