R&S®Trusted Application Factory

# Request rate limiting

You want to limit the number of requests on a given path in a given period of time. For this you can use ActionRequestLimiter as in the example below.

# Configuration sample

Using this yaml sample file, 5 requests every 2 seconds is allowed for a given IP.

---
apiVersion: core/v1beta
kind: App
metadata:
  name: myweb
spec:
  name: myweb.com
  workflow: main
  backend: http://mybackend.com
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: main
spec:
  entrypoint: main
  source: |-
    package main

    func main() {
      ActionRequestLimiter(Args{
        "time": "2",
        "counter": "5",
        "key_limitation_list": "IP",
        "use_key_list": "true",
        "ctl_user_agent": "false",
        "dstore_uid": "defaultdatastore",
        "scache_uid": "defaultsessioncache",
      })

      if "http.request-limiter.blocked" == "true" {
          ActionGenerateResponse(Args{"status": "403", "content": "403 Forbidden"})
      } else {
          ActionGenerateResponse(Args{"status": "200", "content": "200 Ok"})
      }
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Limitation keys

Limitation keys are criteria of the request that are used as the counters key. Every request with the same limitation key value share the same counter and so, the same request rate limit.

For example, with an IP limitation key, the limitation is applied to a given source IP.

# Predefined limitations

If use_key_list is set to true, one of the following criteria is used to limit requests.

# Limitation by IP

To apply limits based on the client source IP, set:

  • use_key_list to true
  • key_limitation_list to IP

To apply limits based on the client source IP AND user agent, additionally set:

  • ctl_user_agent to true

# Limitation by Session

R&S®Trusted Application Factory creates a cookie to store each user's session. To apply limits based on this client's session id, set:

  • use_key_list to true
  • key_limitation_list to SESSION
  • dstore_uid: defaultdatastore
  • scache_uid: defaultsessioncache

A typical use of this is when the backend uses a cookie to identify the user. In this case, this cookie's value can be used as a limitation key. To apply limits based on the value of a cookie, set:

  • use_key_list to true
  • key_limitation_list to COOKIE
  • cookie_name to the name of the cookie
  • dstore_uid: defaultdatastore

# No limitation key

To block requests as soon as the number of requests is reached, whatever the client is, set:

  • use_key_list to true
  • key_limitation_list to ALL
  • dstore_uid: defaultdatastore

# Custom limitation keys

To forge a custom limitation key, use_key_list must be set to false. A custom limitation key can then be set with key_expression.

For example, to limit the number of requests per unit of time on a given path, set key_expression to ${http.request.path}

Last Updated: 1/3/2022, 3:57:51 PM