I'm running an Apache web server, and I'd like to add some simple rate limiting per individual IP address.
I'm currently getting what appears to be a lot of bot requests hitting the website, and it's slowing down normal requests slightly.
I'd like to be able to add rate limiting to slow down the bots, whilst also not hindering crawls from googlebot when it comes around. I'm guessing somewhere in the region of 20,000 requests/hour per IP should do it, probably less.
Anyway, what's the simplest method for adding rate limiting to Apache?
So far I've found a few options:
mod_security
mod_evasive
mod_ratelimit
mod_limitpconn
But there doesn't seem to be a clear and obvious solution.
Alternatively, it looks like using Nginx as a reverse proxy (and using the rate limiting built in to that) would be another viable option. It looks easier to implement than what I've found so far for Apache as well. Although I'd prefer to just use Apache if there is a straightforward solution that I'm missing.
Fail2Ban seems like another simple solution, but I'm not sure if I could use it to return 429
response codes when a visitor is hitting the rate limit.
What would you recommend?