Skip to main content

RateLimit

The RateLimit middleware ensures that services will receive a fair amount of requests, and allows you to define what fair is.

It is based on a token bucket implementation.


Configuration Example

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
namespace: traefik
spec:
rateLimit:
burst: 100
period: 1m
average: 6

Rate and Burst

The rate is defined by dividing average by period. For a rate below 1 req/s, define a period larger than a second

The middleware is based on a token bucket implementation. In this analogy, the average and period parameters define the rate at which the bucket refills, and the burst is the size (volume) of the bucket.

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
burst: 100
period: 1m
average: 6

In the example above, the middleware allows up to 100 connections in parallel (burst). Each connection consume a token, once the 100 tokens are consumed, the other ones are blocked until at least one token is available in the bucket.

When the bucket is not full, on token is generated every 10 seconds (6 every 1 minutes (period / average)).

Configuration Options

FieldDescriptionDefaultRequired
averageNumber of requests used to define the rate using the period.
0 means no rate limiting.
More information here.
0No
periodPeriod of time used to define the rate.
More information here.
1sNo
burstMaximum number of requests allowed to go through at the very same moment.
More information here.
1No
sourceCriterion.requestHostWhether to consider the request host as the source.
More information about sourceCriterionhere.
falseNo
sourceCriterion.requestHeaderNameName of the header used to group incoming requests.
More information about sourceCriterionhere.
""No
sourceCriterion.ipStrategy.depthDepth position of the IP to select in the X-Forwarded-For header (starting from the right).
0 means no depth.
If greater than the total number of IPs in X-Forwarded-For, then the client IP is empty
If higher than 0, the excludedIPs options is not evaluated.
More information about sourceCriterion, ipStrategy, and depth below.
0No
sourceCriterion.ipStrategy.excludedIPsAllows scanning the X-Forwarded-For header and select the first IP not in the list.
If depth is specified, excludedIPs is ignored.
More information about sourceCriterion, ipStrategy, and excludedIPs below.
No
sourceCriterion.ipStrategy.ipv6SubnetIf ipv6Subnet is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
More information about sourceCriterion, ipStrategy.ipv6Subnet below.
No

sourceCriterion

The sourceCriterion option defines what criterion is used to group requests as originating from a common source. If several strategies are defined at the same time, an error will be raised. If none are set, the default is to use the request's remote address field (as an ipStrategy).

Check out the OIDC + RateLimit/Distributed guide to see this option in action.

ipStrategy

The ipStrategy option defines three parameters that configures how Traefik determines the client IP: depth, excludedIPs and ipv6Subnet.

As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to X-Forwarded-For during the last stages of proxying, that is after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in X-Forwarded-For, it cannot be found and/or relied upon.

sourceCriterion.ipStrategy.ipv6Subnet

This strategy applies to Depth and RemoteAddr strategy only. If ipv6Subnet is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.

This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.

  • ipv6Subnet is ignored if its value is outside of 0-128 interval

Example of ipv6Subnet

If ipv6Subnet is provided, the IP is transformed in the following way.

IPipv6SubnetclientIP
"::abcd:1111:2222:3333"64"::0:0:0:0"
"::abcd:1111:2222:3333"80"::abcd:0:0:0:0"
"::abcd:1111:2222:3333"96"::abcd:1111:0:0:0"

sourceCriterion.ipStrategy.depth

If depth is set to 2, and the request X-Forwarded-For header is "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" then the "real" client IP is "10.0.0.1" (at depth 4) but the IP used as the criterion is "12.0.0.1" (depth=2).

X-Forwarded-FordepthclientIP
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"1"13.0.0.1"
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"3"11.0.0.1"
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"5""

sourceCriterion.ipStrategy.excludedIPs

Contrary to what the name might suggest, this option is not about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs.

excludedIPs is meant to address two classes of somewhat distinct use-cases:

  1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others, to its own rate-limit "bucket" (cf the token bucket). In this case, excludedIPs should be set to match the list of X-Forwarded-For IPs that are to be excluded, in order to find the actual clientIP.

Example to use each IP as a distinct source:

X-Forwarded-ForexcludedIPsclientIP
"10.0.0.1,11.0.0.1,12.0.0.1""11.0.0.1,12.0.0.1""10.0.0.1"
"10.0.0.2,11.0.0.1,12.0.0.1""11.0.0.1,12.0.0.1""10.0.0.2"
  1. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source, and all contribute to the same rate-limit bucket.

Example to group IPs together as same source:

X-Forwarded-ForexcludedIPsclientIP
"10.0.0.1,11.0.0.1,12.0.0.1""12.0.0.1""11.0.0.1"
"10.0.0.2,11.0.0.1,12.0.0.1""12.0.0.1""11.0.0.1"
"10.0.0.3,11.0.0.1,12.0.0.1""12.0.0.1""11.0.0.1"