10861086 </ span >
10871087 </ a >
10881088
1089+ </ li >
1090+
1091+ < li class ="md-nav__item ">
1092+ < a href ="#per-ip-rate-limiting " class ="md-nav__link ">
1093+ < span class ="md-ellipsis ">
1094+
1095+ Per-IP Rate Limiting
1096+
1097+ </ span >
1098+ </ a >
1099+
10891100</ li >
10901101
10911102 < li class ="md-nav__item ">
15801591 </ span >
15811592 </ a >
15821593
1594+ </ li >
1595+
1596+ < li class ="md-nav__item ">
1597+ < a href ="#per-ip-rate-limiting " class ="md-nav__link ">
1598+ < span class ="md-ellipsis ">
1599+
1600+ Per-IP Rate Limiting
1601+
1602+ </ span >
1603+ </ a >
1604+
15831605</ li >
15841606
15851607 < li class ="md-nav__item ">
@@ -1728,16 +1750,37 @@ <h2 id="per-secret-quotas">Per-Secret Quotas<a class="headerlink" href="#per-sec
17281750< li > < strong > Stats:</ strong > < code > secret_guest_quota 10737418240</ code > , < code > secret_guest_bytes_total 5368709120</ code > , < code > secret_guest_rejected_quota 3</ code > </ li >
17291751< li > < strong > Prometheus:</ strong > < code > teleproxy_secret_quota_bytes{secret="guest"} 10737418240</ code > , < code > teleproxy_secret_bytes_total{secret="guest"} 5368709120</ code > </ li >
17301752</ ul >
1731- < h2 id ="per-secret-unique- ip-limits "> Per-Secret Unique IP Limits < a class ="headerlink " href ="#per-secret-unique- ip-limits " title ="Permanent link "> ¶</ a > </ h2 >
1732- < p > Cap how many distinct client IPs can use a secret simultaneously. Additional connections from an already-connected IP are allowed .</ p >
1753+ < h2 id ="per-ip-rate-limiting "> Per-IP Rate Limiting < a class ="headerlink " href ="#per-ip-rate-limiting " title ="Permanent link "> ¶</ a > </ h2 >
1754+ < p > Cap real-time throughput per source IP. Uses a token bucket algorithm — each IP gets a bucket that refills at the configured rate. When the bucket is empty, reads are paused until tokens refill. Unlike quota (which closes connections), rate limiting throttles via TCP backpressure — users see slower speeds, not dropped connections .</ p >
17331755< p > TOML config:</ p >
17341756< div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-11-1 " name ="__codelineno-11-1 " href ="#__codelineno-11-1 "> </ a > < span class ="k "> [[secret]]</ span >
17351757< a id ="__codelineno-11-2 " name ="__codelineno-11-2 " href ="#__codelineno-11-2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe...ab"</ span >
1736- < a id ="__codelineno-11-3 " name ="__codelineno-11-3 " href ="#__codelineno-11-3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "guest "</ span >
1737- < a id ="__codelineno-11-4 " name ="__codelineno-11-4 " href ="#__codelineno-11-4 "> </ a > < span class ="n "> max_ips </ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi " > 5 </ span >
1758+ < a id ="__codelineno-11-3 " name ="__codelineno-11-3 " href ="#__codelineno-11-3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "shared "</ span >
1759+ < a id ="__codelineno-11-4 " name ="__codelineno-11-4 " href ="#__codelineno-11-4 "> </ a > < span class ="n "> rate_limit </ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 " > "10M" </ span > < span class =" w " > </ span > < span class =" c1 " > # 10 MB/s per IP (accepts: bytes/sec int, or "500K", "10M") </ span >
17381760</ code > </ pre > </ div >
17391761< p > Docker:</ p >
1740- < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-12-1 " name ="__codelineno-12-1 " href ="#__codelineno-12-1 "> </ a > < span class ="nv "> SECRET_MAX_IPS_1</ span > < span class ="o "> =</ span > < span class ="m "> 5</ span >
1762+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-12-1 " name ="__codelineno-12-1 " href ="#__codelineno-12-1 "> </ a > < span class ="nv "> SECRET_RATE_LIMIT_1</ span > < span class ="o "> =</ span > < span class ="m "> 10485760</ span > < span class ="w "> </ span > < span class ="c1 "> # 10 MB/s in bytes/sec</ span >
1763+ < a id ="__codelineno-12-2 " name ="__codelineno-12-2 " href ="#__codelineno-12-2 "> </ a > < span class ="c1 "> # or human-readable:</ span >
1764+ < a id ="__codelineno-12-3 " name ="__codelineno-12-3 " href ="#__codelineno-12-3 "> </ a > < span class ="nv "> SECRET_RATE_LIMIT_1</ span > < span class ="o "> =</ span > 10M
1765+ </ code > </ pre > </ div >
1766+ < p > The rate limit is combined (received + sent) per source IP. Burst size is 1 second of tokens — a new connection can burst up to the rate limit before throttling kicks in.</ p >
1767+ < p > Multi-worker note: with < code > -M N</ code > workers, each enforces < code > rate_limit / N</ code > independently.</ p >
1768+ < p > Reloadable: changing < code > rate_limit</ code > on SIGHUP takes effect immediately for new data.</ p >
1769+ < p > Metrics:</ p >
1770+ < ul >
1771+ < li > < strong > Stats:</ strong > < code > secret_shared_rate_limit 10485760</ code > , < code > secret_shared_rate_limited 42</ code > </ li >
1772+ < li > < strong > Prometheus:</ strong > < code > teleproxy_secret_rate_limit_bytes{secret="shared"} 10485760</ code > , < code > teleproxy_secret_rate_limited_total{secret="shared"} 42</ code > </ li >
1773+ </ ul >
1774+ < h2 id ="per-secret-unique-ip-limits "> Per-Secret Unique IP Limits< a class ="headerlink " href ="#per-secret-unique-ip-limits " title ="Permanent link "> ¶</ a > </ h2 >
1775+ < p > Cap how many distinct client IPs can use a secret simultaneously. Additional connections from an already-connected IP are allowed.</ p >
1776+ < p > TOML config:</ p >
1777+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-13-1 " name ="__codelineno-13-1 " href ="#__codelineno-13-1 "> </ a > < span class ="k "> [[secret]]</ span >
1778+ < a id ="__codelineno-13-2 " name ="__codelineno-13-2 " href ="#__codelineno-13-2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe...ab"</ span >
1779+ < a id ="__codelineno-13-3 " name ="__codelineno-13-3 " href ="#__codelineno-13-3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "guest"</ span >
1780+ < a id ="__codelineno-13-4 " name ="__codelineno-13-4 " href ="#__codelineno-13-4 "> </ a > < span class ="n "> max_ips</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 5</ span >
1781+ </ code > </ pre > </ div >
1782+ < p > Docker:</ p >
1783+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-14-1 " name ="__codelineno-14-1 " href ="#__codelineno-14-1 "> </ a > < span class ="nv "> SECRET_MAX_IPS_1</ span > < span class ="o "> =</ span > < span class ="m "> 5</ span >
17411784</ code > </ pre > </ div >
17421785< p > Metrics:</ p >
17431786< ul >
@@ -1747,15 +1790,15 @@ <h2 id="per-secret-unique-ip-limits">Per-Secret Unique IP Limits<a class="header
17471790< h2 id ="secret-expiration "> Secret Expiration< a class ="headerlink " href ="#secret-expiration " title ="Permanent link "> ¶</ a > </ h2 >
17481791< p > Auto-disable a secret after a timestamp. New connections are rejected; existing connections continue until they close naturally.</ p >
17491792< p > TOML config:</ p >
1750- < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-13 -1 " name ="__codelineno-13 -1 " href ="#__codelineno-13 -1 "> </ a > < span class ="k "> [[secret]]</ span >
1751- < a id ="__codelineno-13 -2 " name ="__codelineno-13 -2 " href ="#__codelineno-13 -2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe...ab"</ span >
1752- < a id ="__codelineno-13 -3 " name ="__codelineno-13 -3 " href ="#__codelineno-13 -3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "temp"</ span >
1753- < a id ="__codelineno-13 -4 " name ="__codelineno-13 -4 " href ="#__codelineno-13 -4 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2025-06-30T23:59:59Z</ span > < span class ="w "> </ span > < span class ="c1 "> # TOML datetime (UTC)</ span >
1754- < a id ="__codelineno-13 -5 " name ="__codelineno-13 -5 " href ="#__codelineno-13 -5 "> </ a > < span class ="c1 "> # or: expires = 1751327999 # Unix timestamp</ span >
1793+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-15 -1 " name ="__codelineno-15 -1 " href ="#__codelineno-15 -1 "> </ a > < span class ="k "> [[secret]]</ span >
1794+ < a id ="__codelineno-15 -2 " name ="__codelineno-15 -2 " href ="#__codelineno-15 -2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe...ab"</ span >
1795+ < a id ="__codelineno-15 -3 " name ="__codelineno-15 -3 " href ="#__codelineno-15 -3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "temp"</ span >
1796+ < a id ="__codelineno-15 -4 " name ="__codelineno-15 -4 " href ="#__codelineno-15 -4 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2025-06-30T23:59:59Z</ span > < span class ="w "> </ span > < span class ="c1 "> # TOML datetime (UTC)</ span >
1797+ < a id ="__codelineno-15 -5 " name ="__codelineno-15 -5 " href ="#__codelineno-15 -5 "> </ a > < span class ="c1 "> # or: expires = 1751327999 # Unix timestamp</ span >
17551798</ code > </ pre > </ div >
17561799< p > Docker:</ p >
1757- < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-14 -1 " name ="__codelineno-14 -1 " href ="#__codelineno-14 -1 "> </ a > < span class ="nv "> SECRET_EXPIRES_1</ span > < span class ="o "> =</ span > < span class ="m "> 2025</ span > -06-30T23:59:59Z
1758- < a id ="__codelineno-14 -2 " name ="__codelineno-14 -2 " href ="#__codelineno-14 -2 "> </ a > < span class ="c1 "> # or: SECRET_EXPIRES_1=1751327999</ span >
1800+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-16 -1 " name ="__codelineno-16 -1 " href ="#__codelineno-16 -1 "> </ a > < span class ="nv "> SECRET_EXPIRES_1</ span > < span class ="o "> =</ span > < span class ="m "> 2025</ span > -06-30T23:59:59Z
1801+ < a id ="__codelineno-16 -2 " name ="__codelineno-16 -2 " href ="#__codelineno-16 -2 "> </ a > < span class ="c1 "> # or: SECRET_EXPIRES_1=1751327999</ span >
17591802</ code > </ pre > </ div >
17601803< p > Metrics:</ p >
17611804< ul >
@@ -1764,21 +1807,23 @@ <h2 id="secret-expiration">Secret Expiration<a class="headerlink" href="#secret-
17641807</ ul >
17651808< h2 id ="toml-config-example "> TOML Config Example< a class ="headerlink " href ="#toml-config-example " title ="Permanent link "> ¶</ a > </ h2 >
17661809< p > All per-secret features combined:</ p >
1767- < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-15-1 " name ="__codelineno-15-1 " href ="#__codelineno-15-1 "> </ a > < span class ="k "> [[secret]]</ span >
1768- < a id ="__codelineno-15-2 " name ="__codelineno-15-2 " href ="#__codelineno-15-2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe01234567890abcafe01234567890a"</ span >
1769- < a id ="__codelineno-15-3 " name ="__codelineno-15-3 " href ="#__codelineno-15-3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "family"</ span >
1770- < a id ="__codelineno-15-4 " name ="__codelineno-15-4 " href ="#__codelineno-15-4 "> </ a > < span class ="n "> limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 100</ span >
1771- < a id ="__codelineno-15-5 " name ="__codelineno-15-5 " href ="#__codelineno-15-5 "> </ a > < span class ="n "> quota</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "50G"</ span >
1772- < a id ="__codelineno-15-6 " name ="__codelineno-15-6 " href ="#__codelineno-15-6 "> </ a > < span class ="n "> max_ips</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 10</ span >
1773- < a id ="__codelineno-15-7 " name ="__codelineno-15-7 " href ="#__codelineno-15-7 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2026-12-31T23:59:59Z</ span >
1774- < a id ="__codelineno-15-8 " name ="__codelineno-15-8 " href ="#__codelineno-15-8 "> </ a >
1775- < a id ="__codelineno-15-9 " name ="__codelineno-15-9 " href ="#__codelineno-15-9 "> </ a > < span class ="k "> [[secret]]</ span >
1776- < a id ="__codelineno-15-10 " name ="__codelineno-15-10 " href ="#__codelineno-15-10 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "dead01234567890abcead01234567890a"</ span >
1777- < a id ="__codelineno-15-11 " name ="__codelineno-15-11 " href ="#__codelineno-15-11 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "guest"</ span >
1778- < a id ="__codelineno-15-12 " name ="__codelineno-15-12 " href ="#__codelineno-15-12 "> </ a > < span class ="n "> limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 50</ span >
1779- < a id ="__codelineno-15-13 " name ="__codelineno-15-13 " href ="#__codelineno-15-13 "> </ a > < span class ="n "> quota</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "5G"</ span >
1780- < a id ="__codelineno-15-14 " name ="__codelineno-15-14 " href ="#__codelineno-15-14 "> </ a > < span class ="n "> max_ips</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 3</ span >
1781- < a id ="__codelineno-15-15 " name ="__codelineno-15-15 " href ="#__codelineno-15-15 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2025-06-30T00:00:00Z</ span >
1810+ < div class ="highlight "> < pre > < span > </ span > < code > < a id ="__codelineno-17-1 " name ="__codelineno-17-1 " href ="#__codelineno-17-1 "> </ a > < span class ="k "> [[secret]]</ span >
1811+ < a id ="__codelineno-17-2 " name ="__codelineno-17-2 " href ="#__codelineno-17-2 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "cafe01234567890abcafe01234567890a"</ span >
1812+ < a id ="__codelineno-17-3 " name ="__codelineno-17-3 " href ="#__codelineno-17-3 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "family"</ span >
1813+ < a id ="__codelineno-17-4 " name ="__codelineno-17-4 " href ="#__codelineno-17-4 "> </ a > < span class ="n "> limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 100</ span >
1814+ < a id ="__codelineno-17-5 " name ="__codelineno-17-5 " href ="#__codelineno-17-5 "> </ a > < span class ="n "> quota</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "50G"</ span >
1815+ < a id ="__codelineno-17-6 " name ="__codelineno-17-6 " href ="#__codelineno-17-6 "> </ a > < span class ="n "> rate_limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "10M"</ span >
1816+ < a id ="__codelineno-17-7 " name ="__codelineno-17-7 " href ="#__codelineno-17-7 "> </ a > < span class ="n "> max_ips</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 10</ span >
1817+ < a id ="__codelineno-17-8 " name ="__codelineno-17-8 " href ="#__codelineno-17-8 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2026-12-31T23:59:59Z</ span >
1818+ < a id ="__codelineno-17-9 " name ="__codelineno-17-9 " href ="#__codelineno-17-9 "> </ a >
1819+ < a id ="__codelineno-17-10 " name ="__codelineno-17-10 " href ="#__codelineno-17-10 "> </ a > < span class ="k "> [[secret]]</ span >
1820+ < a id ="__codelineno-17-11 " name ="__codelineno-17-11 " href ="#__codelineno-17-11 "> </ a > < span class ="n "> key</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "dead01234567890abcead01234567890a"</ span >
1821+ < a id ="__codelineno-17-12 " name ="__codelineno-17-12 " href ="#__codelineno-17-12 "> </ a > < span class ="n "> label</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "guest"</ span >
1822+ < a id ="__codelineno-17-13 " name ="__codelineno-17-13 " href ="#__codelineno-17-13 "> </ a > < span class ="n "> limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 50</ span >
1823+ < a id ="__codelineno-17-14 " name ="__codelineno-17-14 " href ="#__codelineno-17-14 "> </ a > < span class ="n "> quota</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "5G"</ span >
1824+ < a id ="__codelineno-17-15 " name ="__codelineno-17-15 " href ="#__codelineno-17-15 "> </ a > < span class ="n "> rate_limit</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="s2 "> "2M"</ span >
1825+ < a id ="__codelineno-17-16 " name ="__codelineno-17-16 " href ="#__codelineno-17-16 "> </ a > < span class ="n "> max_ips</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="mi "> 3</ span >
1826+ < a id ="__codelineno-17-17 " name ="__codelineno-17-17 " href ="#__codelineno-17-17 "> </ a > < span class ="n "> expires</ span > < span class ="w "> </ span > < span class ="o "> =</ span > < span class ="w "> </ span > < span class ="ld "> 2025-06-30T00:00:00Z</ span >
17821827</ code > </ pre > </ div >
17831828
17841829
0 commit comments