Add request rate limiting for QHttpServer

Added QHttpServerConfiguration class to pass general configuration
settings to QHttpServer.
Implemented request rate limiting per IP.

Task-number: QTBUG-75087
Change-Id: Iedd670d3cd9adddec22077fe0625fdd3fc818004
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>

src/httpserver/CMakeLists.txt

@@ -11,9 +11,11 @@ qt_internal_add_module(HttpServer
     SOURCES
         qabstracthttpserver.cpp qabstracthttpserver.h qabstracthttpserver_p.h
         qhttpserver.cpp qhttpserver.h qhttpserver_p.h
+        qhttpserverconfiguration.cpp qhttpserverconfiguration.h
         qhttpserverhttp1protocolhandler.cpp qhttpserverhttp1protocolhandler_p.h
         qhttpserverliterals.cpp qhttpserverliterals_p.h
         qhttpserverrequest.cpp qhttpserverrequest.h qhttpserverrequest_p.h
+        qhttpserverrequestfilter.cpp qhttpserverrequestfilter_p.h
         qhttpserverresponder.cpp qhttpserverresponder.h qhttpserverresponder_p.h
         qhttpserverresponse.cpp qhttpserverresponse.h qhttpserverresponse_p.h
         qhttpserverrouter.cpp qhttpserverrouter.h qhttpserverrouter_p.h

src/httpserver/qabstracthttpserver.cpp

@@ -49,9 +49,9 @@ void QAbstractHttpServerPrivate::handleNewConnections()
         while (auto socket = qobject_cast<QSslSocket *>(sslServer->nextPendingConnection())) {
             if (socket->sslConfiguration().nextNegotiatedProtocol()
                             == QSslConfiguration::ALPNProtocolHTTP2) {
-                new QHttpServerHttp2ProtocolHandler(q, socket);
+                new QHttpServerHttp2ProtocolHandler(q, socket, &requestFilter);
             } else {
-                new QHttpServerHttp1ProtocolHandler(q, socket);
+                new QHttpServerHttp1ProtocolHandler(q, socket, &requestFilter);
             }
         }
         return;
@@ -62,7 +62,7 @@ void QAbstractHttpServerPrivate::handleNewConnections()
     Q_ASSERT(tcpServer);
 
     while (auto socket = tcpServer->nextPendingConnection())
-        new QHttpServerHttp1ProtocolHandler(q, socket);
+        new QHttpServerHttp1ProtocolHandler(q, socket, &requestFilter);
 }
 
 /*!
@@ -90,7 +90,7 @@ void QAbstractHttpServerPrivate::handleNewLocalConnections()
     Q_ASSERT(localServer);
 
     while (auto socket = localServer->nextPendingConnection())
-        new QHttpServerHttp1ProtocolHandler(q, socket);
+        new QHttpServerHttp1ProtocolHandler(q, socket, &requestFilter);
 }
 #endif
 
@@ -420,6 +420,19 @@ void QAbstractHttpServer::setHttp2Configuration(const QHttp2Configuration &confi
 
 #endif
 
+void QAbstractHttpServer::setConfiguration(const QHttpServerConfiguration &config)
+{
+    Q_D(QAbstractHttpServer);
+    d->configuration = config;
+    d->requestFilter.setConfiguration(config);
+}
+
+QHttpServerConfiguration QAbstractHttpServer::configuration() const
+{
+    Q_D(const QAbstractHttpServer);
+    return d->configuration;
+}
+
 QT_END_NAMESPACE
 
 #include "moc_qabstracthttpserver.cpp"

src/httpserver/qabstracthttpserver.h

@@ -8,6 +8,7 @@
 
 #include <QtHttpServer/qthttpserverglobal.h>
 #include <QtHttpServer/qhttpserverwebsocketupgraderesponse.h>
+#include <QtHttpServer/qhttpserverconfiguration.h>
 
 #include <QtNetwork/qhostaddress.h>
 
@@ -54,6 +55,9 @@ public:
     void setHttp2Configuration(const QHttp2Configuration &configuration);
 #endif
 
+    void setConfiguration(const QHttpServerConfiguration &config);
+    QHttpServerConfiguration configuration() const;
+
 #if defined(QT_WEBSOCKETS_LIB)
 Q_SIGNALS:
     void newWebSocketConnection();

src/httpserver/qabstracthttpserver_p.h

@@ -16,6 +16,8 @@
 
 #include <QtHttpServer/qabstracthttpserver.h>
 #include <QtHttpServer/qthttpserverglobal.h>
+#include <QtHttpServer/qhttpserverconfiguration.h>
+#include <QtHttpServer/private/qhttpserverrequestfilter_p.h>
 
 #include <private/qobject_p.h>
 
@@ -68,6 +70,8 @@ public:
 #if QT_CONFIG(ssl)
     QHttp2Configuration h2Configuration;
 #endif
+    QHttpServerConfiguration configuration;
+    QHttpServerRequestFilter requestFilter;
 };
 
 QT_END_NAMESPACE

src/httpserver/qhttpserverconfiguration.cpp

@@ -0,0 +1,116 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#include "qhttpserverconfiguration.h"
+
+QT_BEGIN_NAMESPACE
+
+/*!
+    \class QHttpServerConfiguration
+    \since 6.9
+    \inmodule QtHttpServer
+    \brief The QHttpServerConfiguration class controls server parameters.
+*/
+class QHttpServerConfigurationPrivate : public QSharedData
+{
+public:
+    unsigned rateLimit = 0;
+};
+
+QT_DEFINE_QESDP_SPECIALIZATION_DTOR(QHttpServerConfigurationPrivate)
+
+/*!
+    Default constructs a QHttpServerConfiguration object.
+
+    Such a configuration has the following values:
+     \list
+         \li Rate limit is disabled
+     \endlist
+*/
+QHttpServerConfiguration::QHttpServerConfiguration()
+    : d(new QHttpServerConfigurationPrivate)
+{
+}
+
+/*!
+    Copy-constructs this QHttpServerConfiguration.
+*/
+QHttpServerConfiguration::QHttpServerConfiguration(const QHttpServerConfiguration &) = default;
+
+/*!
+    \fn QHttpServerConfiguration::QHttpServerConfiguration(QHttpServerConfiguration &&other) noexcept
+
+    Move-constructs this QHttpServerConfiguration from \a other
+*/
+
+/*!
+    Copy-assigns \a other to this QHttpServerConfiguration.
+*/
+QHttpServerConfiguration &QHttpServerConfiguration::operator=(const QHttpServerConfiguration &) = default;
+
+/*!
+    \fn QNetworkRequestFactory &QNetworkRequestFactory::operator=(QNetworkRequestFactory &&other) noexcept
+
+    Move-assigns \a other to this QHttpServerConfiguration.
+*/
+
+/*!
+    Destructor.
+*/
+QHttpServerConfiguration::~QHttpServerConfiguration()
+    = default;
+
+/*!
+    Sets \a maxRequests as the maximum number of incoming requests
+    per second per IP that will be accepted by QHttpServer.
+    If the limit is exceeded, QHttpServer will respond with
+    QHttpServerResponder::StatusCode::TooManyRequests.
+
+    \sa rateLimitPerSecond(), QHttpServerResponder::StatusCode
+*/
+void QHttpServerConfiguration::setRateLimitPerSecond(unsigned int maxRequests)
+{
+    d.detach();
+    d->rateLimit = maxRequests;
+}
+
+/*!
+    Returns maximum number of incoming requests per second per IP
+    accepted by the server.
+
+    \sa setRateLimitPerSecond()
+*/
+unsigned int QHttpServerConfiguration::rateLimitPerSecond() const
+{
+    return d->rateLimit;
+}
+
+/*!
+    \fn void QHttpServerConfiguration::swap(QHttpServerConfiguration &other)
+    \memberswap{configuration}
+*/
+
+/*!
+    \fn bool QHttpServerConfiguration::operator==(const QHttpServerConfiguration &lhs, const QHttpServerConfiguration &rhs) noexcept
+    Returns \c true if \a lhs and \a rhs have the same set of configuration
+    parameters.
+*/
+
+/*!
+    \fn bool QHttpServerConfiguration::operator!=(const QHttpServerConfiguration &lhs, const QHttpServerConfiguration &rhs) noexcept
+    Returns \c true if \a lhs and \a rhs do not have the same set of configuration
+    parameters.
+*/
+
+/*!
+    \internal
+*/
+bool QHttpServerConfiguration::isEqual(const QHttpServerConfiguration &other) const noexcept
+{
+    if (d == other.d)
+        return true;
+
+    return d->rateLimit == other.d->rateLimit;
+}
+
+QT_END_NAMESPACE

src/httpserver/qhttpserverconfiguration.h

@@ -0,0 +1,48 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#ifndef QHTTPSERVERCONFIGURATION_H
+#define QHTTPSERVERCONFIGURATION_H
+
+#include <QtHttpServer/qthttpserverglobal.h>
+
+#include <QtCore/qshareddata.h>
+
+QT_BEGIN_NAMESPACE
+
+class QHttpServerConfigurationPrivate;
+QT_DECLARE_QESDP_SPECIALIZATION_DTOR_WITH_EXPORT(QHttpServerConfigurationPrivate, Q_HTTPSERVER_EXPORT)
+
+class Q_HTTPSERVER_EXPORT QHttpServerConfiguration
+{
+public:
+    QHttpServerConfiguration();
+    QHttpServerConfiguration(const QHttpServerConfiguration &other);
+    QHttpServerConfiguration(QHttpServerConfiguration &&other) noexcept = default;
+    QHttpServerConfiguration &operator = (const QHttpServerConfiguration &other);
+
+    QT_MOVE_ASSIGNMENT_OPERATOR_IMPL_VIA_PURE_SWAP(QHttpServerConfiguration)
+    void swap(QHttpServerConfiguration &other) noexcept { d.swap(other.d); }
+
+    ~QHttpServerConfiguration();
+
+    void setRateLimitPerSecond(unsigned maxRequests);
+    unsigned rateLimitPerSecond() const;
+
+private:
+    QExplicitlySharedDataPointer<QHttpServerConfigurationPrivate> d;
+
+    bool isEqual(const QHttpServerConfiguration &other) const noexcept;
+
+    friend bool operator==(const QHttpServerConfiguration &lhs,
+                           const QHttpServerConfiguration &rhs) noexcept
+    { return lhs.isEqual(rhs); }
+    friend bool operator!=(const QHttpServerConfiguration &lhs,
+                           const QHttpServerConfiguration &rhs) noexcept
+    { return !lhs.isEqual(rhs); }
+};
+Q_DECLARE_SHARED(QHttpServerConfiguration)
+
+QT_END_NAMESPACE
+
+#endif // QHTTPSERVERCONFIGURATION_H

src/httpserver/qhttpserverhttp1protocolhandler.cpp

@@ -10,6 +10,7 @@
 #include <QtHttpServer/qabstracthttpserver.h>
 #include <QtHttpServer/qhttpserverrequest.h>
 #include <QtHttpServer/qhttpserverresponder.h>
+#include <QtHttpServer/qhttpserverresponse.h>
 #include <QtNetwork/qlocalsocket.h>
 #include <QtNetwork/qtcpsocket.h>
 
@@ -216,7 +217,8 @@ struct IOChunkedTransfer
 
 
 QHttpServerHttp1ProtocolHandler::QHttpServerHttp1ProtocolHandler(QAbstractHttpServer *server,
-                                                                 QIODevice *socket)
+                                                                 QIODevice *socket,
+                                                                 QHttpServerRequestFilter *filter)
     : QHttpServerStream(server),
       server(server),
       socket(socket),
@@ -224,6 +226,7 @@ QHttpServerHttp1ProtocolHandler::QHttpServerHttp1ProtocolHandler(QAbstractHttpSe
 #if QT_CONFIG(localserver)
       localSocket(qobject_cast<QLocalSocket*>(socket)),
 #endif
+      m_filter(filter),
       request(initRequestFromSocket(tcpSocket))
 {
     socket->setParent(this);
@@ -360,8 +363,14 @@ void QHttpServerHttp1ProtocolHandler::handleReadyRead()
 
     socket->commitTransaction();
 
-    if (!server->handleRequest(request, responder))
+    QHostAddress peerAddress = tcpSocket ? tcpSocket->peerAddress()
+                                         : QHostAddress::LocalHost;
+    if (!m_filter->isRequestWithinRate(peerAddress)) {
+        responder.sendResponse(
+                QHttpServerResponse(QHttpServerResponder::StatusCode::TooManyRequests));
+    } else if (!server->handleRequest(request, responder)) {
         server->missingHandler(request, responder);
+    }
 
     if (handlingRequest)
         disconnect(socket, &QIODevice::readyRead, this, &QHttpServerHttp1ProtocolHandler::handleReadyRead);

src/httpserver/qhttpserverhttp1protocolhandler_p.h

@@ -7,6 +7,7 @@
 #include <QtHttpServer/qthttpserverglobal.h>
 #include <QtHttpServer/qhttpserverrequest.h>
 #include <QtHttpServer/private/qhttpserverstream_p.h>
+#include <QtHttpServer/private/qhttpserverrequestfilter_p.h>
 
 //
 //  W A R N I N G
@@ -34,7 +35,9 @@ class QHttpServerHttp1ProtocolHandler : public QHttpServerStream
     friend class QHttpServerResponder;
 
 private:
-    QHttpServerHttp1ProtocolHandler(QAbstractHttpServer *server, QIODevice *socket);
+    QHttpServerHttp1ProtocolHandler(QAbstractHttpServer *server,
+                                    QIODevice *socket,
+                                    QHttpServerRequestFilter *filter);
 
     void responderDestroyed() final;
     void startHandlingRequest() final;
@@ -67,6 +70,7 @@ private:
 #if QT_CONFIG(localserver)
     QLocalSocket *localSocket;
 #endif
+    QHttpServerRequestFilter *m_filter;
 
     enum class TransferState {
         Ready,

src/httpserver/qhttpserverhttp2protocolhandler.cpp

@@ -5,6 +5,7 @@
 
 #include <QtCore/qloggingcategory.h>
 #include <QtHttpServer/qabstracthttpserver.h>
+#include <QtHttpServer/qhttpserverresponse.h>
 #include <QtNetwork/private/qhttp2connection_p.h>
 #include <QtNetwork/qtcpsocket.h>
 
@@ -30,11 +31,13 @@ void toHeaderPairs(HPack::HttpHeader &fields, const QHttpHeaders &headers)
 } // anonymous namespace
 
 QHttpServerHttp2ProtocolHandler::QHttpServerHttp2ProtocolHandler(QAbstractHttpServer *server,
-                                                                 QIODevice *socket)
+                                                                 QIODevice *socket,
+                                                                 QHttpServerRequestFilter *filter)
     : QHttpServerStream(server),
       m_server(server),
       m_socket(socket),
       m_tcpSocket(qobject_cast<QTcpSocket *>(socket)),
+      m_filter(filter),
       m_request(QHttpServerStream::initRequestFromSocket(m_tcpSocket))
 {
     socket->setParent(this);
@@ -269,8 +272,12 @@ void QHttpServerHttp2ProtocolHandler::onStreamHalfClosed(quint32 streamId)
     QHttpServerResponder responder(this);
     responder.d_ptr->m_streamId = streamId;
 
-    if (!m_server->handleRequest(m_request, responder))
+    if (!m_filter->isRequestWithinRate(m_tcpSocket->peerAddress())) {
+        responder.sendResponse(
+                QHttpServerResponse(QHttpServerResponder::StatusCode::TooManyRequests));
+    } else if (!m_server->handleRequest(m_request, responder)) {
         m_server->missingHandler(m_request, responder);
+    }
 }
 
 void QHttpServerHttp2ProtocolHandler::onStreamClosed(quint32 streamId)

src/httpserver/qhttpserverhttp2protocolhandler_p.h

@@ -7,6 +7,7 @@
 #include <QtHttpServer/qthttpserverglobal.h>
 #include <QtHttpServer/qhttpserverrequest.h>
 #include <QtHttpServer/private/qhttpserverstream_p.h>
+#include <QtHttpServer/private/qhttpserverrequestfilter_p.h>
 #include <QtNetwork/private/hpack_p.h>
 #include <QtCore/qbytearray.h>
 #include <QtCore/qqueue.h>
@@ -45,7 +46,9 @@ class QHttpServerHttp2ProtocolHandler : public QHttpServerStream
     friend class QAbstractHttpServerPrivate;
 
 private:
-    QHttpServerHttp2ProtocolHandler(QAbstractHttpServer *server, QIODevice *socket);
+    QHttpServerHttp2ProtocolHandler(QAbstractHttpServer *server,
+                                    QIODevice *socket,
+                                    QHttpServerRequestFilter *filter);
 
     void responderDestroyed() final;
     void startHandlingRequest() final;
@@ -83,6 +86,7 @@ private:
     QAbstractHttpServer *m_server;
     QIODevice *m_socket;
     QTcpSocket *m_tcpSocket;
+    QHttpServerRequestFilter *m_filter;
     QHttpServerRequest m_request;
     QHttp2Connection *m_connection;
     QHash<quint32, QList<QMetaObject::Connection>> m_streamConnections;

src/httpserver/qhttpserverrequestfilter.cpp

@@ -0,0 +1,94 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#include "qhttpserverrequestfilter_p.h"
+
+#include <QtCore/qdatetime.h>
+
+QT_BEGIN_NAMESPACE
+
+const int QHttpServerRequestFilterPrivate::cPeriodDurationMSec = 1000;
+
+// compromise value to remove some garbage without processing the entire array.
+static constexpr int cCleanupThreshold = 10;
+
+unsigned int QHttpServerRequestFilter::maxRequestPerPeriod() const
+{
+    return m_config.rateLimitPerSecond();
+}
+
+QHttpServerRequestFilter::QHttpServerRequestFilter()
+{
+
+}
+
+void QHttpServerRequestFilter::setConfiguration(const QHttpServerConfiguration &config)
+{
+    m_config = config;
+}
+
+bool QHttpServerRequestFilter::isRequestWithinRate(QHostAddress peerAddress)
+{
+    return isRequestWithinRate(peerAddress, QDateTime::currentMSecsSinceEpoch());
+}
+
+bool QHttpServerRequestFilter::isRequestWithinRate(QHostAddress peerAddress,
+                                                   const qint64 currTimeMSec)
+{
+    using namespace QHttpServerRequestFilterPrivate;
+
+    if (m_config.rateLimitPerSecond() == 0)
+        return true;
+
+    QHash<QHostAddress, IpInfo>::iterator it = ipInfo.find(peerAddress);
+    if (it == ipInfo.end())
+        it = ipInfo.emplace(peerAddress, currTimeMSec + cPeriodDurationMSec);
+    // clean more garbage then we create
+    cleanIpInfoGarbage(it, currTimeMSec);
+
+    if (it->isGarbage(currTimeMSec)) {
+        // did not make any requests for a whole period? start the new one.
+        it->m_thisPeriodEnd = currTimeMSec + cPeriodDurationMSec;
+        it->m_nRequests = 1;
+    } else if (currTimeMSec > it->m_thisPeriodEnd) {
+        // showed up during next period, update info
+        it->m_thisPeriodEnd += cPeriodDurationMSec;
+        it->m_nRequests = 1;
+    } else {
+        // check whether we exceeded
+        if (++it->m_nRequests > maxRequestPerPeriod())
+            return false;  // too many requests
+    }
+
+    return true;
+}
+
+void QHttpServerRequestFilter::cleanIpInfoGarbage(QHash<QHostAddress, IpInfo>::iterator it,
+                                                  qint64 currTime)
+{
+    Q_ASSERT(ipInfo.begin() != ipInfo.end());
+
+    const auto myIp = it.key();
+    ++it;
+    // check the range after the current ip
+    for (int i = 0; i < cCleanupThreshold; ++i) {
+        if (it == ipInfo.end())
+            it = ipInfo.begin();
+
+        if (it.key() == myIp)
+            break;
+
+        if (it->isGarbage(currTime))
+            it = ipInfo.erase(it);
+        else
+            ++it;
+    }
+}
+
+bool QHttpServerRequestFilter::IpInfo::isGarbage(qint64 currTime) const
+{
+    // ip info is garbage if we got no requests during next period
+    return (currTime >= m_thisPeriodEnd + QHttpServerRequestFilterPrivate::cPeriodDurationMSec);
+}
+
+QT_END_NAMESPACE

src/httpserver/qhttpserverrequestfilter_p.h

@@ -0,0 +1,61 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#ifndef QHTTPSERVERREQUESTFILTER_P_H
+#define QHTTPSERVERREQUESTFILTER_P_H
+
+#include <QtHttpServer/qthttpserverglobal.h>
+#include <QtHttpServer/qhttpserverconfiguration.h>
+
+#include <QtCore/qhash.h>
+#include <QtNetwork/qhostaddress.h>
+
+//
+//  W A R N I N G
+//  -------------
+//
+// This file is not part of the Qt API.  It exists for the convenience
+// of QHttpServer. This header file may change from version to
+// version without notice, or even be removed.
+//
+// We mean it.
+
+QT_BEGIN_NAMESPACE
+
+namespace QHttpServerRequestFilterPrivate {
+extern const Q_HTTPSERVER_EXPORT int cPeriodDurationMSec;
+}
+
+class Q_HTTPSERVER_EXPORT QHttpServerRequestFilter
+{
+public:
+    QHttpServerRequestFilter();
+
+    void setConfiguration(const QHttpServerConfiguration &config);
+
+    bool isRequestWithinRate(QHostAddress peerAddress);
+    bool isRequestWithinRate(QHostAddress peerAddress, const qint64 currTimeMSec);
+
+private:
+    struct IpInfo
+    {
+        IpInfo() : m_thisPeriodEnd(0) {}
+        IpInfo(qint64 thisPeriodEnd) : m_thisPeriodEnd(thisPeriodEnd) {}
+
+        bool isGarbage(qint64 currTime) const;
+
+        qint64 m_thisPeriodEnd = 0;
+        unsigned m_nRequests = 0;
+    };
+
+    void cleanIpInfoGarbage(QHash<QHostAddress, IpInfo>::iterator it, qint64 currTime);
+
+    unsigned maxRequestPerPeriod() const;
+
+    QHttpServerConfiguration m_config;
+    QHash<QHostAddress, IpInfo> ipInfo;
+};
+
+QT_END_NAMESPACE
+
+#endif // QHTTPSERVERREQUESTFILTER_P_H

tests/auto/CMakeLists.txt

@@ -13,4 +13,5 @@ add_subdirectory(qhttpserverrouter)
 add_subdirectory(qhttpserverresponse)
 if(QT_FEATURE_private_tests)
     add_subdirectory(qabstracthttpserver)
+    add_subdirectory(qhttpserverrequestfilter)
 endif()

tests/auto/qhttpserverrequestfilter/CMakeLists.txt

@@ -0,0 +1,13 @@
+# Copyright (C) 2024 The Qt Company Ltd.
+# SPDX-License-Identifier: BSD-3-Clause
+
+#####################################################################
+## tst_qhttpserverrequestfilter Test:
+#####################################################################
+
+qt_internal_add_test(tst_qhttpserverrequestfilter
+    SOURCES
+        tst_qhttpserverrequestfilter.cpp
+    LIBRARIES
+        Qt::HttpServerPrivate
+)

tests/auto/qhttpserverrequestfilter/tst_qhttpserverrequestfilter.cpp

@@ -0,0 +1,93 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only
+
+#include <QtHttpServer/private/qhttpserverrequestfilter_p.h>
+#include <QtHttpServer/qhttpserverconfiguration.h>
+
+#include <QtTest/qtest.h>
+
+QT_BEGIN_NAMESPACE
+
+class tst_QHttpServerRequestFilter : public QObject
+{
+    Q_OBJECT
+
+private slots:
+    void testRateLimit();
+};
+
+void tst_QHttpServerRequestFilter::testRateLimit()
+{
+    using namespace QHttpServerRequestFilterPrivate;
+
+    QHttpServerRequestFilter filter1;
+    QHostAddress address("127.0.0.1");
+    QCOMPARE(filter1.isRequestWithinRate(address), true);
+
+    QHttpServerConfiguration config;
+    config.setRateLimitPerSecond(0);
+    filter1.setConfiguration(config);
+    QCOMPARE(filter1.isRequestWithinRate(address), true);
+
+    QHttpServerRequestFilter filter2;
+    config.setRateLimitPerSecond(1);
+    filter2.setConfiguration(config);
+    qint64 currTimeMSec = QDateTime::currentMSecsSinceEpoch();
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), true);
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), false);
+    // check next period
+    currTimeMSec += cPeriodDurationMSec + 1;
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), true);
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), false);
+    // check after 2 periods
+    currTimeMSec += 2 * cPeriodDurationMSec + 1;
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), true);
+    QCOMPARE(filter2.isRequestWithinRate(address, currTimeMSec), false);
+    // check after previous ip info becomes garbage
+    QHostAddress address2("127.0.0.2");
+    currTimeMSec += 3 * cPeriodDurationMSec;
+    QCOMPARE(filter2.isRequestWithinRate(address2, currTimeMSec), true);
+    QCOMPARE(filter2.isRequestWithinRate(address2, currTimeMSec), false);
+    // check after this ip becomes garbage
+    currTimeMSec += 3 * cPeriodDurationMSec;
+    QCOMPARE(filter2.isRequestWithinRate(address2, currTimeMSec), true);
+    QCOMPARE(filter2.isRequestWithinRate(address2, currTimeMSec), false);
+
+    // higher rate limit
+    QHttpServerRequestFilter filter3;
+    const int nRequests = 10;
+    config.setRateLimitPerSecond(nRequests);
+    filter3.setConfiguration(config);
+    currTimeMSec = QDateTime::currentMSecsSinceEpoch();
+    QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), true);
+    currTimeMSec += cPeriodDurationMSec;
+    for (int i = 0; i < nRequests - 1; ++i)
+        QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), true);
+    QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), false);
+    // check next period
+    currTimeMSec += 1;
+    QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), true);
+    for (int i = 0; i < nRequests - 1; ++i)
+        QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), true);
+    QCOMPARE(filter3.isRequestWithinRate(address2, currTimeMSec), false);
+
+    // more hosts
+    QHttpServerRequestFilter filter4;
+    config.setRateLimitPerSecond(1);
+    filter4.setConfiguration(config);
+    currTimeMSec = QDateTime::currentMSecsSinceEpoch();
+    for (int i = 0; i < 10; ++i) {
+        const auto hostAddress = QHostAddress(QString("127.0.0.%1").arg(i));
+        QCOMPARE(filter4.isRequestWithinRate(hostAddress, currTimeMSec), true);
+        QCOMPARE(filter4.isRequestWithinRate(hostAddress, currTimeMSec), false);
+    }
+    // check after all the hosts become garbage
+    currTimeMSec += 3 * cPeriodDurationMSec;
+    QCOMPARE(filter4.isRequestWithinRate(QHostAddress("168.0.0.1"), currTimeMSec), true);
+}
+
+QT_END_NAMESPACE
+
+QTEST_MAIN(tst_QHttpServerRequestFilter)
+
+#include "tst_qhttpserverrequestfilter.moc"