add rate limiting support for REST API/web admin too

docs/full-configuration.md

@@ -83,7 +83,7 @@ The configuration file contains the following sections:
     - `period`, integer. Period defines the period as milliseconds. The rate is actually defined by dividing average by period Default: 1000 (1 second).
     - `burst`, integer. Burst defines the maximum number of requests allowed to go through in the same arbitrarily small period of time. Default: 1
     - `type`, integer. 1 means a global rate limiter, independent from the source host. 2 means a per-ip rate limiter. Default: 2
-    - `protocols`, list of strings. Available protocols are `SSH`, `FTP`, `DAV`. By default all supported protocols are enabled
+    - `protocols`, list of strings. Available protocols are `SSH`, `FTP`, `DAV`, `HTTP`. By default all supported protocols are enabled
     - `generate_defender_events`, boolean. If `true`, the defender is enabled, and this is not a global rate limiter, a new defender event will be generated each time the configured limit is exceeded. Default `false`
     - `entries_soft_limit`, integer.
     - `entries_hard_limit`, integer. The number of per-ip rate limiters kept in memory will vary between the soft and hard limit

docs/rate-limiting.md

@@ -1,6 +1,6 @@
 # Rate limiting
 
-Rate limiting allows to control the number of requests going to the configured services.
+Rate limiting allows to control the number of requests going to the SFTPGo services.
 
 SFTPGo implements a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) initially full and refilled at the configured rate. The `burst` configuration parameter defines the size of the bucket. The rate is defined by dividing `average` by `period`, so for a rate below 1 req/s, one needs to define a period larger than a second.
 
@@ -8,9 +8,16 @@ Requests that exceed the configured limit will be delayed or denied if they exce
 
 SFTPGo allows to define per-protocol rate limiters so you can have different configurations for different protocols.
 
+The supported protocols are:
+
+- `SSH`, includes SFTP and SSH commands
+- `FTP`, includes FTP, FTPES, FTPS
+- `DAV`, WebDAV
+- `HTTP`, REST API and web admin
+
 You can also define two types of rate limiters:
 
-- global, it is independent from the source host and therefore define a limit for the configured protocol/s
+- global, it is independent from the source host and therefore define an aggregate limit for the configured protocol/s
 - per-host, this type of rate limiter can be connected to the built-in [defender](./defender.md) and generate `score_rate_exceeded` events and thus hosts that repeatedly exceed the configured limit can be automatically blocked
 
 If you configure a per-host rate limiter, SFTPGo will keep a rate limiter in memory for each host that connects to the service, you can limit the memory usage using the `entries_soft_limit` and `entries_hard_limit` configuration keys.
@@ -27,7 +34,8 @@ You can defines how many rate limiters as you want, but keep in mind that if you
       "protocols": [
         "SSH",
         "FTP",
-        "DAV"
+        "DAV",
+        "HTTP"
       ],
       "generate_defender_events": false,
       "entries_soft_limit": 100,
@@ -48,6 +56,6 @@ You can defines how many rate limiters as you want, but keep in mind that if you
 ]
 ```
 
-we have a global rate limiter that limit the rate for the whole service to 100 req/s and an additional rate limiter that limits the `FTP` protocol to 10 req/s per host.
+we have a global rate limiter that limit the aggregate rate for the all the services to 100 req/s and an additional rate limiter that limits the `FTP` protocol to 10 req/s per host.
 With this configuration, when a client connects via FTP it will be limited first by the global rate limiter and then by the per host rate limiter.
 Clients connecting via SFTP/WebDAV will be checked only against the global rate limiter.