RateLimiter.IISModule 1.0.1

.NET Framework 4.5 This package targets .NET Framework 4.5. The package is compatible with this framework or higher.
There is a newer version of this package available.
See the version list below for details. 
dotnet add package RateLimiter.IISModule --version 1.0.1
                    


                    

                
NuGet\Install-Package RateLimiter.IISModule -Version 1.0.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="RateLimiter.IISModule" Version="1.0.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="RateLimiter.IISModule" Version="1.0.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="RateLimiter.IISModule" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add RateLimiter.IISModule --version 1.0.1
                    


                    

                
#r "nuget: RateLimiter.IISModule, 1.0.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package RateLimiter.IISModule@1.0.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=RateLimiter.IISModule&version=1.0.1
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=RateLimiter.IISModule&version=1.0.1
                    


                            Install as a Cake Tool

IIS Rate Limiter Module

License: MIT .NET Framework

A custom IIS HTTP Module for subsystem-wise and API-wise rate limiting. Perfect for APIs that use custom authentication headers to identify clients/subsystems.

Features

  • Per-endpoint rate limiting - Different limits for different URLs
  • URL pattern matching - Wildcards support (* for segment, ** for any path)
  • HTTP method filtering - Different limits for GET vs POST
  • Client identification - IP address, API keys, custom headers
  • Request data analysis - Include query parameters and headers in rate limit key
  • JSON body parsing - Extract fields from request body for rate limiting
  • Sliding window algorithm - Smooth rate limiting without sharp resets
  • Configurable via JSON - Easy configuration without code changes

Installation

1. Build the Module

cd RateLimiter.IISModule
dotnet build -c Release

2. Deploy to Your Web Application

Copy the built DLL to your application's bin folder:

copy .\bin\Release\net48\RateLimiter.IISModule.dll C:\inetpub\wwwroot\YourApp\bin\
copy .\bin\Release\net48\Newtonsoft.Json.dll C:\inetpub\wwwroot\YourApp\bin\

3. Register the Module in web.config

Add to your application's web.config:

<configuration>
  <system.webServer>
    <modules>
      <add name="RateLimitingModule" 
           type="RateLimiter.IISModule.RateLimitingModule, RateLimiter.IISModule" 
           preCondition="managedHandler" />
    </modules>
  </system.webServer>
</configuration>

4. Configure Rate Limits

Create App_Data\ratelimit.config.json in your web application:

{
  "includeUrlInKey": true,
  "includeMethodInKey": true,
  "clientIdHeader": "X-API-Key",
  
  "defaultRule": {
    "name": "Default",
    "maxRequests": 100,
    "windowSeconds": 60
  },
  
  "rules": [
    {
      "name": "Login",
      "urlPattern": "/api/auth/login",
      "methods": ["POST"],
      "maxRequests": 5,
      "windowSeconds": 60,
      "priority": 100
    }
  ]
}

Configuration Options

Global Settings

Setting Type Description
includeUrlInKey bool Include URL path in rate limit key (per-endpoint limiting)
includeMethodInKey bool Include HTTP method in rate limit key
clientIdHeader string Custom header for client identification (e.g., "X-API-Key")
queryParametersToInclude string[] Query parameters to include in rate limit key
headersToInclude string[] Headers to include in rate limit key
whitelistedIPs string[] IPs that bypass rate limiting
excludedPaths string[] Paths excluded from rate limiting

Rate Limit Rules

Setting Type Description
name string Rule name for identification
urlPattern string URL pattern (* = segment, ** = any path)
methods string[] HTTP methods (empty = all)
maxRequests int Max requests allowed in window
windowSeconds int Time window in seconds
priority int Higher priority rules checked first
enabled bool Enable/disable rule

URL Pattern Examples

Pattern Matches
/api/users Exact match
/api/users/* /api/users/123, /api/users/abc
/api/** Any path under /api/
/api/*/profile /api/123/profile, /api/abc/profile

Response Headers

When rate limited, the module returns:

  • Status Code: 429 Too Many Requests
  • Retry-After: Seconds until the window resets
  • X-RateLimit-Limit: Maximum requests allowed
  • X-RateLimit-Window: Time window duration

Advanced Usage

Rate Limiting by Request Body Content

For advanced scenarios like rate limiting by user ID in the request body, you can extend the module to use RequestBodyAnalyzer:

// Extract fields from JSON body
var fields = RequestBodyAnalyzer.ExtractJsonFields(request, new[] { "userId", "action" });

// Include in rate limit key
foreach (var field in fields)
{
    keyParts.Add($"{field.Key}={field.Value}");
}

Combining with IIS Dynamic IP Restrictions

For defense in depth, combine this module with IIS's built-in IP restrictions:

<security>
  <dynamicIpSecurity denyAction="Forbidden">
    <denyByConcurrentRequests enabled="true" maxConcurrentRequests="20" />
    <denyByRequestRate enabled="true" maxRequests="100" requestIntervalInMilliseconds="1000" />
  </dynamicIpSecurity>
</security>

Troubleshooting

Module Not Loading

  1. Ensure .NET Framework 4.8 is installed
  2. Check Application Pool is using .NET 4.0 CLR
  3. Verify DLLs are in the bin folder

Rate Limits Not Applied

  1. Check the module is registered in web.config
  2. Verify ratelimit.config.json is in App_Data folder
  3. Check URL patterns match your endpoints

Performance Considerations

  • The module uses in-memory storage (fast but not distributed)
  • For web farm scenarios, consider Redis-based implementation
  • Cleanup runs every minute to prevent memory leaks

License

MIT License

Product Compatible and additional computed target framework versions.
.NET Framework net45 is compatible.  net451 is compatible.  net452 is compatible.  net46 is compatible.  net461 is compatible.  net462 is compatible.  net463 was computed.  net47 is compatible.  net471 is compatible.  net472 is compatible.  net48 is compatible.  net481 was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
1.0.5 99 1/19/2026
1.0.4 95 1/19/2026
1.0.2 98 1/19/2026
1.0.1 145 1/12/2026