Skip to main content
Version: 2.13.2304

Rate Limiting

APISIX/API7 EE actually supports three rate limiting models for HTTP, which are:

RequirementPlugin
Number of connectionslimit-conn
Number of request per secondlimit-req
Number of request in fixed time windowlimit-count

We can use them according to the actual scenario.

Prepare environment

Please refer to API7 EE Introduction to complete the environment preparation.

Configure the rate limit plugin

Create a plugin template with the limit-req, limit-conn,limit-count plugin enabled with the following configuration as described in API7 EE Introduction.

limit-req: allow a request per second

{
  "rate": 1,
  "burst": 0,
  "key_type": "var",
  "key": "remote_addr",
  "rejected_code": 503
}

limit-conn: allow a new connection per second

{
  "conn": 1,
  "burst": 0,
  "default_conn_delay": 1,
  "key_type": "var",
  "key": "remote_addr",
  "rejected_code": 503
}

limit-count: 3 requests are allowed every 60 seconds

{
  "count": 3,
  "time_window": 60,
  "key_type": "var",
  "key": "remote_addr",
  "rejected_code": 503,
  "policy": "local",
  "show_limit_quota_header": true
}

Test

limit-req

Request the API twice in quick succession.

Would better use Shell to generate Requests quickly.

curl 127.0.0.1/anything -i -H "Host: example.com"

The first result:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 425
Connection: keep-alive
Date: Sun, 19 Mar 2023 07:11:03 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "example.com", 
    "User-Agent": "curl/7.81.0", 
    "X-Amzn-Trace-Id": "Root=1-6416b587-60ffe3423031284c6c9181d6", 
    "X-Forwarded-Host": "example.com"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "172.19.0.1, 146.190.80.65", 
  "url": "https://example.com/anything"
}

The second result: rate limit has been triggered

HTTP/1.1 503 Service Temporarily Unavailable
Date: Sun, 19 Mar 2023 07:11:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 269
Connection: keep-alive
Server: APISIX/2.13.2304

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>openresty</center>
<p><em>Powered by <a href="https://apisix.apache.org/">APISIX</a>.</em></p></body>
</html>

limit-conn

Request the API twice in quick succession.

image
curl 127.0.0.1/anything -i -H "Host: example.com"

The first result:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 395
Connection: keep-alive
Date: Sun, 19 Mar 2023 07:21:23 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Host": "example.com", 
    "User-Agent": "curl/7.81.0", 
    "X-Amzn-Trace-Id": "Root=1-6416b7f3-1f4852d71e1c39585a44545e", 
    "X-Forwarded-Host": "example.com"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "172.19.0.1, 146.190.80.65", 
  "url": "https://example.com/anything"
}

The second result: rate limit has been triggered

HTTP/1.1 503 Service Temporarily Unavailable
Date: Sun, 19 Mar 2023 07:21:23 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 269
Connection: keep-alive
Server: APISIX/2.13.2304

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>openresty</center>
<p><em>Powered by <a href="https://apisix.apache.org/">APISIX</a>.</em></p></body>
</html>

limit-count

Request 4 times in 1 minute.

curl 127.0.0.1/anything -i -H "Host: example.com"

The 1st result: X-RateLimit header reports on the configuration and status of the rate limit

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 395
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 2
Date: Sun, 19 Mar 2023 07:31:07 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

<json response>

The 2nd result:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 395
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 1
Date: Sun, 19 Mar 2023 07:31:53 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

<json response>

The 3rd result:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 395
Connection: keep-alive
X-RateLimit-Limit: 3
X-RateLimit-Remaining: 0
Date: Sun, 19 Mar 2023 07:32:25 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Server: APISIX/2.13.2304

<json response>

The 4th result: rate limit is triggered after the configured number of times

HTTP/1.1 503 Service Temporarily Unavailable
Date: Sun, 19 Mar 2023 07:32:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 269
Connection: keep-alive
Server: APISIX/2.13.2304

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>openresty</center>
<p><em>Powered by <a href="https://apisix.apache.org/">APISIX</a>.</em></p></body>
</html>
API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud
API7 Enterprise
API Portal
Roadmap

Open Source

Apache APISIX
K8s Ingress Controller
wasm-nginx-module
Contributor Graph

Resources

Blog
Documentation
NGINX + Lua
APISIX vs Kong
APISIX vs NGINX

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation