security – Can I use rate-limiting with HTTP basic authentication in Apache?

So I’m running a few popular web applications on my server. I want these to be reachable from any computer without creating too many vulnerabilities.

I am using Apache 2.4.29 as my HTTP server. My current idea for hiding potential security vulnerabilities in my applications from attackers is to enable HTTP basic authentication (AuthType Basic) for the relevant virtual hosts as an additional security layer. Of course, I’m only allowing SSL connections.

Now this is all quite easy to accomplish. But my question is this: how can I best avoid brute force style attacks with HTTP basic authentication? I.e., how can I enable rate limiting?

My current plan is something like this:

Since I’m using ufw (Uncomplicated Firewall) to limit SSH connections, I thought I could do the same on a specific port I use for HTTPS. However, I see two problems with this:

  1. Can’t an attacker just use Connection: Keep-Alive and keep trying different passwords without even reconnecting? So limiting incoming connections wouldn’t be of any use here.
  2. If I disabled Connection: Keep-Alive somehow, I guess I would run into trouble with the underlying web applications, since they would require a lot of individual connections so the browser can retrieve additional files.

It would be perfect if I could instruct Apache to only keep the connection going for authenticated users and drop it for failed attempts. Is there a way to do this? I am actually not sure what is the default behavior and don’t understand enough about HTTP to easily test this.