caddy/snippets/rate-limit/default.snippet

# caddy/snippets/rate-limit/default.snippet
# Uses the caddy-ratelimit plugin. Applied to login-ish endpoints so a
# brute-force attempt gets slowed to a crawl without locking out LAN
# clients.

rate_limit {
    zone auth_ip {
        key {remote_host}
        events 20
        window 1m
    }
    zone auth_path {
        match {
            path /login /api/authz/first-factor /api/firstfactor /signin
        }
        events 30
        window 5m
    }
}