Why am I being rate limited?

Knowledge Base Troubleshooting
1

Rate limiting in AMP

AMP uses rate limiting to help protect against denial-of-service or brute force attacks.

If a single IP address makes too many failed login attempts within a given time window, AMP won’t just refuse the request, it won’t even attempt to process it.

Why am I being rate limited?

There are a few likely causes for unexpected rate limiting:

Cloud based proxies (Cloudflare, etc)

If you are using a cloud based proxy service, it may not be possible to know what IP address the requests will be coming from, as such it will be necessary to disable rate limiting.

Improper Reverse Proxy configuration

If your reverse proxy isn’t configured properly, AMP may see all login requests as coming from the same IP address. This may mean that failed attempts by other users to login affect all users.

Two things must be correctly set up when using a reverse proxy:

  • The x-forwarded-for header which is set in the RP configuration must be configured to correctly send the original client IP to AMP.
  • The ReverseProxyHosts setting in AMPConfig.conf must include the IP address of the reverse proxy so that AMP knows it can be trusted.

Too many failed login attempts

If you have made too many failed login attempts either manually or by way of a misbehaving browser extension, you may well be rate limited for a period.

Adjusting or Disabling Rate Limiting

Restarting AMP will temporarily lift any rate limits in effect so you can make changes via the web interface. If that’s not possible, adjust this manually via the configuration file.

We recommend against disabling rate limiting if at all possible for your own security.

Via Web Interface

Under Configuration, select “Security and Privacy” and the first “Policies” subcategory.

From here you can either disable login rate limiting entirely, or increase the time window and number of attempts to make it less sensitive.

Manually via Configuration File

Find the AMPConfig.conf file for the ADS01 instance. Shut down the ADS01 instance by running ampinstmgr stop ADS01 and edit the following lines:

Security.RateLimitLogins=true
Security.AuthFailureTimeWindow=5
Security.AuthFailureAttemptsInWindow=5

You can either set RateLimitLogins to false to disable rate limiting, or increase the other two values to make it less sensitive.

Then restart ADS by running ampinstmgr start ADS01.

1 Like