vsthrottle - Rate-limiting/throttling (v4 and later)

A Varnish vmod for rate-limiting traffic on a single Varnish server. Offers a simple interface for throttling traffic on a per-key basis to a specific request rate.

Keys can be specified from any VCL string, e.g. based on client.ip, a specific cookie value, an API token, etc.

The request rate is specified as the number of requests permitted over a period. To keep things simple, this is passed as two separate parameters, 'limit' and 'period'.

Example usage:

sub vcl_recv {
      if (vsthrottle.is_denied(client.identity, 15, 10s)) {

          # Client has exceeded 15 reqs per 10s
          return (synth(429, "Too Many Requests"));


This VMOD implements a token-bucket algorithm. State associated with the token bucket for each key is stored in-memory using BSD's red-black tree implementation.

Memory usage is around 100 bytes per key tracked.

Used in production
Varnish version supported: 
Commercial support: