How can I rate limit on a per-IP basis for a ModSecurity (I'm actually using Coraza) rule? For example, for the following rule:
SecRule REQUEST_HEADERS:Host "foo.com" "id:5,phase:1"
I want to rate limit each src IP matching that rule to 10 requests/s.
OWASP ModSecurity Core Rule Set Dev on Duty reporting. Ordinarily, I would recommend definitely not to attempt to implement any sort of rate limiting logic inside ModSecurity. Indeed, we recently removed the rate limiting rules from the ModSecurity Core Rule Set (and into an optional plugin). The performance and reliability is usually poor when implementing such logic inside of ModSecurity.
This sort of rate limiting logic is almost always better performed at a firewall or at/in a proxy (something like HAProxy can do this very efficiently).
On the other hand, you mentioned that you are actually using the Coraza WAF engine, and I'm aware that a rate limiting plugin was written for Coraza during this year's (2023) Google Summer of Code. This could be something that you could test to see if it meets your needs.