Setting order limits by IP address in 1C-Bitrix

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Showing 1 of 1 servicesAll 1626 services

Simple

~1 business day

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

B2B ADVANCE company website development
1175
Website development for FIXPER company
811
Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
564
Development based on 1C Enterprise for MIRSANBEL
745
Website development on CRM Bitrix24 for DOLBIMBY
655
Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
976

Show more works

IP Address Order Limit Configuration in 1C-Bitrix

One IP subnet, 50 orders in 10 minutes — either a mass fraudulent burst or a frontend bug that resubmits the form. In both cases, IP-based limits protect the database from junk and the wallet from losses.

PHP-level limits

Check in the event handler before saving the order:

namespace Local\Fraud;

class IpOrderLimiter
{
    // Limits: [window in minutes => maximum orders]
    private const LIMITS = [
        15  => 3,   // no more than 3 orders per 15 minutes
        60  => 5,   // no more than 5 orders per hour
        1440 => 15, // no more than 15 orders per day
    ];

    public static function check(string $ip): ?string
    {
        $conn    = \Bitrix\Main\Application::getConnection();
        $ipSafe  = $conn->getSqlHelper()->forSql($ip);

        foreach (self::LIMITS as $minutes => $maxOrders) {
            $from = date('Y-m-d H:i:s', time() - $minutes * 60);

            $count = (int)$conn->query(
                "SELECT COUNT(*) cnt FROM b_sale_order
                 WHERE CREATED_BY_IP = '{$ipSafe}'
                   AND DATE_INSERT   >= '{$from}'"
            )->fetch()['cnt'];

            if ($count >= $maxOrders) {
                return "Order limit exceeded for your IP. Please try again in " . self::cooldownMinutes($minutes, $maxOrders, $ip) . " minutes.";
            }
        }

        return null;
    }

    private static function cooldownMinutes(int $windowMinutes, int $max, string $ip): int
    {
        $conn   = \Bitrix\Main\Application::getConnection();
        $ipSafe = $conn->getSqlHelper()->forSql($ip);
        $from   = date('Y-m-d H:i:s', time() - $windowMinutes * 60);

        // Find the earliest of the last $max orders
        $oldest = $conn->query(
            "SELECT MIN(DATE_INSERT) dt FROM (
                SELECT DATE_INSERT FROM b_sale_order
                WHERE CREATED_BY_IP = '{$ipSafe}'
                  AND DATE_INSERT   >= '{$from}'
                ORDER BY DATE_INSERT ASC
                LIMIT {$max}
            ) sub"
        )->fetch()['dt'];

        if (!$oldest) return $windowMinutes;

        $oldestTs = strtotime($oldest);
        return max(1, (int)ceil(($oldestTs + $windowMinutes * 60 - time()) / 60));
    }
}

Event handler:

AddEventHandler('sale', 'OnBeforeOrderFinalAction', function(\Bitrix\Sale\Order $order) {
    if ($order->getId() > 0) return new \Bitrix\Main\EventResult(\Bitrix\Main\EventResult::SUCCESS);

    $ip    = $_SERVER['REMOTE_ADDR'] ?? '';
    $error = \Local\Fraud\IpOrderLimiter::check($ip);

    if ($error) {
        return new \Bitrix\Main\EventResult(
            \Bitrix\Main\EventResult::ERROR,
            new \Bitrix\Main\Error($error)
        );
    }

    return new \Bitrix\Main\EventResult(\Bitrix\Main\EventResult::SUCCESS);
});

nginx-level limits (first line of defense)

nginx handles limits before PHP, consuming no server resources:

# /etc/nginx/conf.d/order-limit.conf

# Zone for the checkout page
limit_req_zone $binary_remote_addr zone=checkout:10m rate=2r/m;

# Zone for order creation AJAX requests
limit_req_zone $binary_remote_addr zone=order_ajax:10m rate=5r/m;

server {
    # ...

    location = /order/ {
        limit_req zone=checkout burst=3 nodelay;
        limit_req_status 429;
        # ...
    }

    location ~ ^/local/ajax/(order|checkout) {
        limit_req zone=order_ajax burst=5 nodelay;
        limit_req_status 429;
        add_header Retry-After 60;
        # ...
    }
}

IP whitelist

Legitimate partners or internal IPs must not be subject to limits:

private static function isWhitelisted(string $ip): bool
{
    $whitelist = [
        '127.0.0.1',
        '::1',
        '10.0.0.0/8',     // internal network
        '192.168.0.0/16',
    ];

    foreach ($whitelist as $cidr) {
        if (str_contains($cidr, '/')) {
            if (self::ipInCidr($ip, $cidr)) return true;
        } elseif ($ip === $cidr) {
            return true;
        }
    }

    return false;
}

private static function ipInCidr(string $ip, string $cidr): bool
{
    [$subnet, $mask] = explode('/', $cidr);
    return (ip2long($ip) & ~((1 << (32 - (int)$mask)) - 1)) === ip2long($subnet);
}

Logging and monitoring

Every limit trigger is logged:

\Bitrix\Main\Diag\Debug::writeToFile(
    [
        'ip'      => $ip,
        'limit'   => "{$count}/{$maxOrders} per {$minutes} min",
        'ua'      => $_SERVER['HTTP_USER_AGENT'] ?? '',
        'referer' => $_SERVER['HTTP_REFERER'] ?? '',
    ],
    'IP limit triggered',
    '/local/logs/ip-limits.log'
);

An agent runs once a day, parses the log, and sends a report: top 10 IPs by blocks, weekly trend.

Limit configuration

Store scenario	Recommended limits
Standard B2C	3/15min, 5/hour, 15/day
B2B with large orders	5/15min, 15/hour, 50/day
Sale (temporary)	10/15min, 30/hour

Limits are stored in the config or module options — they can be changed through the admin panel without a deployment.

1C Bitrix presentation 1C Bitrix24 presentation 1C Enterprise presentation