A few quick observations:

1. I think the config is way too complex for what I had in mind. I have not planned to provide custom rates per different server but rather a single value per user (client) in addition to the global (per reproxy) limiter.
2. I don't see a good reason for the most of options and to me, just a pair of req/seq will be sufficient for a simpler limiter this one supposed to be, like I proposed here
3. I see no need to alter metrics with this at all, metrics not supposed to be exposed to external customers
4. The Throttler inside of mgmt package seems to be misplaced, the mgmt package is for metrics and other to-be-developed internal things, not for the general consumption by clients
5. I'm not sure if we even need "stage two: per-server rate limit". I mean the plan and my current implementation deals with the overall limit (per reproxy instance) and per-client limit only and adding another ser for each server seems to overcomplicate the configuration

Just to reiterate - I don't want this limiter/throttler to be too customizable and too configurable, simplicity is the key here. This thing supposed to be a very basic limiter user can turn on, with a minimal configuration to protect the reproxy process (against some abuse/overload) as well as to limit activity per user for the same reason. More powerful and more configurable throttler(s) can be provided as a plugin.

That's alright. I guess there's a difference between what would be a minimal useful implementation.
For me personally, any feature that doesn't expose usage metrics doesn't make sense as if/when throttles are happening, I want to know about it. Just silent DDoS is probably something that is less useful in production in my view.