From 24e40f11534d8ec1ed7fc4a8542acb8105ef2efa Mon Sep 17 00:00:00 2001 From: Hugh Brown Date: Wed, 4 Mar 2026 11:36:22 -0700 Subject: [PATCH] docs: update operations README for configurable rate-limit backend Co-Authored-By: Claude Opus 4.6 --- docs/operations/README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/operations/README.md b/docs/operations/README.md index 23bbd716..123d771a 100644 --- a/docs/operations/README.md +++ b/docs/operations/README.md @@ -75,7 +75,7 @@ Rollback typically means deploying a previous image/commit. ## Rate limiting -The backend applies in-memory per-IP rate limits on sensitive endpoints: +The backend applies per-IP rate limits on sensitive endpoints: | Endpoint | Limit | Window | | --- | --- | --- | @@ -84,7 +84,14 @@ The backend applies in-memory per-IP rate limits on sensitive endpoints: Rate-limited requests receive HTTP `429 Too Many Requests`. -The limiter is in-memory and per-process. If running multiple backend processes behind a load balancer, each process tracks limits independently. For production multi-process deployments, also apply rate limiting at the reverse proxy layer (nginx `limit_req`, Caddy rate limiting, etc.). +Set `RATE_LIMIT_BACKEND` to choose the storage backend: + +| Backend | Value | Operational notes | +| --- | --- | --- | +| In-memory (default) | `memory` | Per-process limits; each worker tracks independently. No external dependencies. | +| Redis | `redis` | Limits are shared across all workers. Set `RATE_LIMIT_REDIS_URL` or it falls back to `RQ_REDIS_URL`. Connectivity is validated at startup; transient Redis failures fail open (requests allowed, warning logged). | + +When using the in-memory backend in multi-process deployments, also apply rate limiting at the reverse proxy layer (nginx `limit_req`, Caddy rate limiting, etc.). ## Common issues