RateLimit
To Control the Number of Requests Going to a Service
The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
It is based on a token bucket implementation. In this analogy, the average parameter (defined below) is the rate at which the bucket refills, and the burst is the size (volume) of the bucket.
Configuration Example
Docker
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
Kubernetes
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
average: 100
burst: 200
Consul Catalog
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
"traefik.http.middlewares.test-ratelimit.ratelimit.burst": "200"
}
Rancher
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
File (YAML)
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
burst: 200
File (TOML)
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 200 requests is allowed.
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
burst = 200
Configuration Options
average
average
is the maximum rate, by default in requests per second, allowed from a given source.
It defaults to 0
, which means no rate limiting.
The rate is actually defined by dividing average
by period
. So for a rate below 1 req/s, one needs to define a period
larger than a second.
Docker
# 100 reqs/s
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
Kubernetes
# 100 reqs/s
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
average: 100
Consul Catalog
# 100 reqs/s
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
File (YAML)
# 100 reqs/s
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
File (TOML)
# 100 reqs/s
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
period
period
, in combination with average
, defines the actual maximum rate, such as:
r = average / period
It defaults to 1
second.
Docker
# 6 reqs/minute
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
Kubernetes
# 6 reqs/minute
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
period: 1m
average: 6
Consul Catalog
# 6 reqs/minute
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.average": "6",
"traefik.http.middlewares.test-ratelimit.ratelimit.period": "1m",
}
Rancher
# 6 reqs/minute
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
File (YAML)
# 6 reqs/minute
http:
middlewares:
test-ratelimit:
rateLimit:
average: 6
period: 1m
File (TOML)
# 6 reqs/minute
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 6
period = "1m"
burst
burst
is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
It defaults to 1
.
Docker
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
Kubernetes
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
burst: 100
Consul Catalog
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
File (YAML)
http:
middlewares:
test-ratelimit:
rateLimit:
burst: 100
File (TOML)
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
burst = 100
sourceCriterion
The sourceCriterion
option defines what criterion is used to group requests as originating from a common source. If several strategies are defined at the same time, an error will be raised. If none are set, the default is to use the request’s remote address field (as an ipStrategy
).
sourceCriterion.ipStrategy
The ipStrategy
option defines two parameters that configures how Traefik determines the client IP: depth
, and excludedIPs
.
As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to X-Forwarded-For
during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in X-Forwarded-For
, it cannot be found and/or relied upon.
ipStrategy.depth
The depth
option tells Traefik to use the X-Forwarded-For
header and select the IP located at the depth
position (starting from the right).
- If
depth
is greater than the total number of IPs inX-Forwarded-For
, then the client IP is empty. depth
is ignored if its value is less than or equal to 0.
Example of Depth & X-Forwarded-For
If depth
is set to 2, and the request X-Forwarded-For
header is "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"
then the “real” client IP is "10.0.0.1"
(at depth 4) but the IP used as the criterion is "12.0.0.1"
(depth=2
).
X-Forwarded-For | depth | clientIP |
---|---|---|
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 1 | “13.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 3 | “11.0.0.1” |
“10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1” | 5 | “” |
Docker
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
Kubernetes
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
depth: 2
Consul Catalog
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth": "2"
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
File (YAML)
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
depth: 2
File (TOML)
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
depth = 2
ipStrategy.excludedIPs
Contrary to what the name might suggest, this option is not about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs.
If depth
is specified, excludedIPs
is ignored.
excludedIPs
is meant to address two classes of somewhat distinct use-cases:
Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others, to its own rate-limit “bucket” (cf the leaky bucket analogy). In this case,
excludedIPs
should be set to match the list ofX-Forwarded-For IPs
that are to be excluded, in order to find the actual clientIP.Each IP as a distinct source
X-Forwarded-For excludedIPs clientIP “10.0.0.1,11.0.0.1,12.0.0.1”
“11.0.0.1,12.0.0.1”
“10.0.0.1”
“10.0.0.2,11.0.0.1,12.0.0.1”
“11.0.0.1,12.0.0.1”
“10.0.0.2”
Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source, and all contribute to the same rate-limit bucket.
Group IPs together as same source
X-Forwarded-For excludedIPs clientIP “10.0.0.1,11.0.0.1,12.0.0.1”
“12.0.0.1”
“11.0.0.1”
“10.0.0.2,11.0.0.1,12.0.0.1”
“12.0.0.1”
“11.0.0.1”
“10.0.0.3,11.0.0.1,12.0.0.1”
“12.0.0.1”
“11.0.0.1”
For completeness, below are additional examples to illustrate how the matching works. For a given request the list of X-Forwarded-For
IPs is checked from most recent to most distant against the excludedIPs
pool, and the first IP that is not in the pool (if any) is returned.
Matching for clientIP
X-Forwarded-For | excludedIPs | clientIP |
---|---|---|
“10.0.0.1,11.0.0.1,13.0.0.1” | “11.0.0.1” | “13.0.0.1” |
“10.0.0.1,11.0.0.1,13.0.0.1” | “15.0.0.1,16.0.0.1” | “13.0.0.1” |
“10.0.0.1,11.0.0.1” | “10.0.0.1,11.0.0.1” | “” |
Docker
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
Kubernetes
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
Consul Catalog
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
File (YAML)
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
File (TOML)
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
sourceCriterion.requestHeaderName
Name of the header used to group incoming requests.
Docker
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
Kubernetes
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHeaderName: username
Consul Catalog
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
File (YAML)
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHeaderName: username
File (TOML)
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHeaderName = "username"
sourceCriterion.requestHost
Whether to consider the request host as the source.
Docker
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
Kubernetes
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHost: true
Consul Catalog
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
Marathon
"labels": {
"traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
}
Rancher
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
File (YAML)
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHost: true
File (TOML)
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true