RateLimit¶
To Control the Number of Requests Going to a Service
The RateLimit middleware ensures that services will receive a fair number of requests, and allows one to define what fair is.
Configuration Example¶
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
average: 100
burst: 50
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
"traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
}
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
burst = 50
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
burst: 50
Configuration Options¶
average
¶
average
is the maximum rate, by default in requests by second, allowed for the given source.
It defaults to 0
, which means no rate limiting.
The rate is actually defined by dividing average
by period
.
So for a rate below 1 req/s, one needs to define a period
larger than a second.
# 100 reqs/s
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
# 100 reqs/s
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
average: 100
# 100 reqs/s
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
}
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
# 100 reqs/s
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
# 100 reqs/s
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
period
¶
period
, in combination with average
, defines the actual maximum rate, such as:
r = average / period
It defaults to 1
second.
# 6 reqs/minute
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
# 6 reqs/minute
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
period: 1m
average: 6
# 6 reqs/minute
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
"traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
}
# 6 reqs/minute
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
# 6 reqs/minute
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 6
period = 1m
# 6 reqs/minute
http:
middlewares:
test-ratelimit:
rateLimit:
average: 6
period: 1m
burst
¶
burst
is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
It defaults to 1
.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
burst: 100
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
}
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
burst = 100
http:
middlewares:
test-ratelimit:
rateLimit:
burst: 100
sourceCriterion
¶
SourceCriterion defines what criterion is used to group requests as originating from a common source.
The precedence order is ipStrategy
, then requestHeaderName
, then requestHost
.
If none are set, the default is to use the request's remote address field (as an ipStrategy
).
sourceCriterion.ipStrategy
¶
The ipStrategy
option defines two parameters that sets how Traefik will determine the client IP: depth
, and excludedIPs
.
ipStrategy.depth
¶
The depth
option tells Traefik to use the X-Forwarded-For
header and take the IP located at the depth
position (starting from the right).
- If
depth
is greater than the total number of IPs inX-Forwarded-For
, then the client IP will be empty. depth
is ignored if its value is lesser than or equal to 0.
Example of Depth & X-Forwarded-For
If depth
was equal to 2, and the request X-Forwarded-For
header was "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"
then the "real" client IP would be "10.0.0.1"
(at depth 4) but the IP used as the criterion would be "12.0.0.1"
(depth=2
).
X-Forwarded-For |
depth |
clientIP |
---|---|---|
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
1 |
"13.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
3 |
"11.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
5 |
"" |
ipStrategy.excludedIPs
¶
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
excludedIPs
tells Traefik to scan the X-Forwarded-For
header and pick the first IP not in the list.
If depth
is specified, excludedIPs
is ignored.
Example of ExcludedIPs & X-Forwarded-For
X-Forwarded-For |
excludedIPs |
clientIP |
---|---|---|
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
"12.0.0.1,13.0.0.1" |
"11.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
"15.0.0.1,13.0.0.1" |
"12.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
"10.0.0.1,13.0.0.1" |
"12.0.0.1" |
"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" |
"15.0.0.1,16.0.0.1" |
"13.0.0.1" |
"10.0.0.1,11.0.0.1" |
"10.0.0.1,11.0.0.1" |
"" |
sourceCriterion.requestHeaderName
¶
Requests having the same value for the given header are grouped as coming from the same source.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHeaderName: username
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
}
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHeaderName = "username"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHeaderName: username
sourceCriterion.requestHost
¶
Whether to consider the request host as the source.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHost: true
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
}
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHost: true