How to rate-limit api routes?

[singh-inder]

The following steps will guide you on how to rate-limit your self hosted supabase instance's api routes based on user's ip address with caddy server

[singh-inder]

1. Update environment variables:

In supabase-automated-self-host/docker/.env file, add the following env vars:

CADDY_RATE_LIMIT_WINDOW='1m'
CADDY_RATE_LIMIT_COUNT=80

The above values will allow 80 requests/min. You can adjust the rate limit window/rate limit count acc. to your needs.
Take a look at these examples for supported time units for CADDY_RATE_LIMIT_WINDOW.

2. Update caddy service config:

In supabase-automated-self-host/docker/docker-compose.yml file, update the caddy service config:

services:
  caddy:
    container_name: caddy-container
    # 👇 UPDATED IMAGE. This is a caddy image built with caddy-ratelimit module. Repo: https://github.com/singh-inder/caddy-with-rate-limit
    image: ghcr.io/singh-inder/caddy-with-rate-limit:v1.1.0
    restart: unless-stopped
    environment:
      DOMAIN: ${SUPABASE_PUBLIC_URL:?error}
      # 👇 pass env vars to container
      CADDY_RATE_LIMIT_WINDOW: ${CADDY_RATE_LIMIT_WINDOW:?error}
      CADDY_RATE_LIMIT_COUNT: ${CADDY_RATE_LIMIT_COUNT:?error}
    ports:
      - 80:80
      - 443:443
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./volumes/caddy/caddy_data:/data
      - ./volumes/caddy/caddy_config:/config
    
    # ... rest of the services

3. Update Caddyfile:

Update supabase-automated-self-host/docker/volumes/caddy/Caddyfile:

If you've setup with authelia:

{$DOMAIN} {

        @supa_api path /rest/* /auth/* /realtime/* /storage/* /functions/*

        @authelia path /authenticate /authenticate/*
        route @authelia {
                reverse_proxy authelia:9091
        }


        route @supa_api {
            rate_limit {
                            zone my_zone {
                                    key {remote_host}
                                    window {$CADDY_RATE_LIMIT_WINDOW}
                                    events {$CADDY_RATE_LIMIT_COUNT}
                            }
                    }
                    reverse_proxy kong:8000
            }

        route {
            forward_auth authelia:9091 {
                        uri /api/authz/forward-auth

                        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                }

                    reverse_proxy studio:3000
            }

        handle_errors 429 {
                    respond "You're being rate limited"
            }

        header -server
}

If you've setup with basic username/password auth:

{$DOMAIN} {

        @supa_api path /rest/* /auth/* /realtime/* /storage/* /functions/*



        route @supa_api {
            rate_limit {
                            zone my_zone {
                                    key {remote_host}
                                    window {$CADDY_RATE_LIMIT_WINDOW}
                                    events {$CADDY_RATE_LIMIT_COUNT}
                            }
                    }
                    reverse_proxy kong:8000
            }

        route {
            basic_auth {
                            {$CADDY_AUTH_USERNAME} {$CADDY_AUTH_PASSWORD}
                    }

                    reverse_proxy studio:3000
            }

        handle_errors 429 {
                    respond "You're being rate limited"
            }

        header -server
}