DefGuard · wojcik91 · Apr 23, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -130,7 +130,8 @@ tonic-prost = "0.14"
 tonic-prost-build = "0.14"
 totp-lite = { version = "2.0" }
 tower = "0.5"
-tower-http = { version = "0.6", features = ["fs", "trace", "set-header"] }
+tower_governor = "0.8"
+tower-http = { version = "0.6", features = ["fs", "trace", "timeout"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 trait-variant = "0.1"

diff --git a/crates/defguard_common/src/config.rs b/crates/defguard_common/src/config.rs
@@ -192,6 +192,16 @@ pub struct DefGuardConfig {
 
     #[arg(long, env = "DEFGUARD_ADOPT_EDGE")]
     pub adopt_edge: Option<String>,
+
+    /// Maximum number of requests per second per client IP before rate limiting kicks in.
+    /// Set to 0 to disable rate limiting.
+    #[arg(long, env = "DEFGUARD_RATELIMIT_PERSECOND", default_value_t = 10)]
+    pub rate_limit_per_second: u64,
+
+    /// Maximum burst size for the rate limiter (token bucket capacity per client IP).
+    /// Set to 0 to disable rate limiting.
+    #[arg(long, env = "DEFGUARD_RATELIMIT_BURST", default_value_t = 100)]
+    pub rate_limit_burst: u32,
 }
 
 #[derive(Clone, Debug, Subcommand)]
@@ -292,6 +302,8 @@ impl DefGuardConfig {
             grpc_bind_address: None,
             adopt_gateway: None,
             adopt_edge: None,
+            rate_limit_per_second: 10,
+            rate_limit_burst: 100,
         };
 
         config

diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
@@ -71,6 +71,7 @@ tonic = { workspace = true }
 tonic-health = { workspace = true }
 totp-lite = { workspace = true }
 tower-http = { workspace = true }
+tower_governor = { workspace = true }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 trait-variant = { workspace = true }

diff --git a/crates/defguard_core/src/appstate.rs b/crates/defguard_core/src/appstate.rs
@@ -1,4 +1,4 @@
-use std::sync::{Arc, Mutex, RwLock};
+use std::sync::{Arc, Mutex, RwLock, atomic::AtomicBool};
 
 use axum::extract::FromRef;
 use axum_extra::extract::cookie::Key;
@@ -36,6 +36,8 @@ pub struct AppState {
     pub event_tx: UnboundedSender<ApiEvent>,
     pub incompatible_components: Arc<RwLock<IncompatibleComponents>>,
     pub proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
+    /// Reflects whether the HTTP server is currently running with TLS
+    pub tls_active: Arc<AtomicBool>,
 }
 
 impl AppState {
@@ -123,6 +125,7 @@ impl AppState {
         event_tx: UnboundedSender<ApiEvent>,
         incompatible_components: Arc<RwLock<IncompatibleComponents>>,
         proxy_control_tx: tokio::sync::mpsc::Sender<ProxyControlMessage>,
+        tls_active: Arc<AtomicBool>,
     ) -> Self {
         spawn(Self::handle_triggers(pool.clone(), rx));
 
@@ -136,6 +139,7 @@ impl AppState {
             event_tx,
             incompatible_components,
             proxy_control_tx,
+            tls_active,
         }
     }
 }