Skip to content
Kong Gateway 2.8 Increases Security and Simplifies API Management.  —Learn More →
|
search
Plugin Hub
header icon

GraphQL Rate Limiting Advanced

The GraphQL Rate Limiting Advanced plugin provides rate limiting for GraphQL queries. The GraphQL Rate Limiting plugin extends the Rate Limiting Advanced plugin.

Configuration Reference

This plugin is partially compatible with DB-less mode.

In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:

  • Setting a target's health status in the load balancer
  • Validating configurations against schemas
  • Uploading the declarative configuration using the /config endpoint

The cluster strategy is not supported in DB-less and hybrid modes. For Kong Gateway in DB-less or hybrid mode, use the redis strategy.

Enable the plugin on a service

For example, configure this plugin on a service by making the following request:

curl -X POST http://{HOST}:8001/services/{SERVICE}/plugins \
    --data "name=graphql-rate-limiting-advanced"  \
    --data "config.cost_strategy=default" \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.dictionary_name=kong_rate_limiting_counters" \
    --data "config.sync_rate=-1" \
    --data "config.strategy=cluster" \
    --data "config.window_type=sliding"

SERVICE is the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: <graphql-rate-limiting-advanced-example>
config: 
  cost_strategy: default
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  dictionary_name: kong_rate_limiting_counters
  sync_rate: -1
  strategy: cluster
  window_type: sliding
plugin: graphql-rate-limiting-advanced

Next, apply the KongPlugin resource to a Service by annotating the Service as follows:

apiVersion: v1
kind: Service
metadata:
  name: {SERVICE}
  labels:
    app: {SERVICE}
  annotations:
    konghq.com/plugins: <graphql-rate-limiting-advanced-example>
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: {SERVICE}
  selector:
    app: {SERVICE}

{SERVICE} is the id or name of the service that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

For example, configure this plugin on a service by adding this section to your declarative configuration file:

plugins:
- name: graphql-rate-limiting-advanced
  service: {SERVICE}
  config: 
    cost_strategy: default
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    dictionary_name: kong_rate_limiting_counters
    sync_rate: -1
    strategy: cluster
    window_type: sliding

SERVICE is the id or name of the service that this plugin configuration will target.

Configure this plugin on a service:

  1. In Konnect Cloud, select the service on the ServiceHub page.
  2. Scroll down to Versions and select the version.
  3. Scroll down to Plugins and click New Plugin.
  4. Find and select the GraphQL Rate Limiting Advanced plugin.

  5. Enter the following parameters, updating the default or sample values as needed:

    • Config.Cost Strategy: default
    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Dictionary Name: kong_rate_limiting_counters
    • Config.Sync Rate: -1
    • Config.Window Type: sliding
  6. Click Create.

Configure this plugin on a service:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, scroll down to Services and click View for the service row.
  3. Scroll down to plugins and click Add Plugin.

  4. Find and select the GraphQL Rate Limiting Advanced plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the service name and ID to the Service field if it is not already prefilled.

  7. Enter the following parameters, updating the default or sample values as needed:

    • Config.Cost Strategy: default
    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Dictionary Name: kong_rate_limiting_counters
    • Config.Sync Rate: -1
    • Config.Window Type: sliding
  8. Click Create.

Enable the plugin on a route

For example, configure this plugin on a route with:

$ curl -X POST http://{HOST}:8001/routes/{ROUTE}/plugins \
    --data "name=graphql-rate-limiting-advanced"  \
    --data "config.cost_strategy=default" \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.dictionary_name=kong_rate_limiting_counters" \
    --data "config.sync_rate=-1" \
    --data "config.strategy=cluster" \
    --data "config.window_type=sliding"

ROUTE is the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: <graphql-rate-limiting-advanced-example>
config: 
  cost_strategy: default
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  dictionary_name: kong_rate_limiting_counters
  sync_rate: -1
  strategy: cluster
  window_type: sliding
plugin: graphql-rate-limiting-advanced

Then, apply it to an ingress (Route or Routes) by annotating the ingress as follows:

apiVersion: networking/v1beta1
kind: Ingress
metadata:
  name: {ROUTE}
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: <graphql-rate-limiting-advanced-example>
spec:
  rules:
  - host: examplehostname.com
    http:
      paths:
      - path: /bar
        backend:
          serviceName: echo
          servicePort: 80

ROUTE is the id or name of the route that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

For example, configure this plugin on a route by adding this section to your declarative configuration file:

plugins:
- name: graphql-rate-limiting-advanced
  route: <route>
  config: 
    cost_strategy: default
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    dictionary_name: kong_rate_limiting_counters
    sync_rate: -1
    strategy: cluster
    window_type: sliding

ROUTE is the id or name of the route that this plugin configuration will target.

Configure this plugin on a route:

  1. In Konnect Cloud, select the service from the ServiceHub page.
  2. Scroll down to Versions and select the version.
  3. Select the route.
  4. Scroll down to Plugins and click Add Plugin.
  5. Find and select the GraphQL Rate Limiting Advanced plugin.

  6. Enter the following parameters, updating the default or sample values as needed:

    • Config.Cost Strategy: default
    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Dictionary Name: kong_rate_limiting_counters
    • Config.Sync Rate: -1
    • Config.Window Type: sliding
  7. Click Create.

Configure this plugin on a route:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, select Routes in the left navigation.
  3. Click View for the route row.
  4. Scroll down to plugins and click Add Plugin.

  5. Find and select the GraphQL Rate Limiting Advanced plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  6. If the option is available, select Scoped.
  7. Add the Route ID if it is not already prefilled.

  8. Enter the following parameters, updating the default or sample values as needed:

    • Config.Cost Strategy: default
    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Dictionary Name: kong_rate_limiting_counters
    • Config.Sync Rate: -1
    • Config.Window Type: sliding
  9. Click Create.

Enable the plugin globally

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

For example, configure this plugin globally with:

$ curl -X POST http://{HOST}:8001/plugins/ \
    --data "name=graphql-rate-limiting-advanced"  \
    --data "config.cost_strategy=default" \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.dictionary_name=kong_rate_limiting_counters" \
    --data "config.sync_rate=-1" \
    --data "config.strategy=cluster" \
    --data "config.window_type=sliding"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-graphql-rate-limiting-advanced>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  cost_strategy: default
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  dictionary_name: kong_rate_limiting_counters
  sync_rate: -1
  strategy: cluster
  window_type: sliding
plugin: graphql-rate-limiting-advanced

For example, configure this plugin using the plugins: entry in the declarative configuration file:

plugins:
- name: graphql-rate-limiting-advanced
  config: 
    cost_strategy: default
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    dictionary_name: kong_rate_limiting_counters
    sync_rate: -1
    strategy: cluster
    window_type: sliding

Configure this plugin globally:

  1. In Kong Manager, select the workspace.
  2. From the Dashboard, select Plugins in the left navigation.
  3. Click New Plugin.

  4. Find and select the GraphQL Rate Limiting Advanced plugin.

    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, set the plugin scope to Global.

  6. Enter the following parameters, updating the default/sample values as needed:

    • Config.Cost Strategy: default
    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Dictionary Name: kong_rate_limiting_counters
    • Config.Sync Rate: -1
    • Config.Window Type: sliding
  7. Click Create.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description
name
required

Type: string		 The name of the plugin, in this case graphql-rate-limiting-advanced.
service.id

Type: string		 The ID of the Service the plugin targets.
route.id

Type: string		 The ID of the Route the plugin targets.
enabled
required

Type: boolean

Default value: true		 Whether this plugin will be applied.
config.cost_strategy
required

Type: string

Default value: default

Strategy to use to evaluate query costs. Either default or node_quantifier. See default and node_quantifier respectively.
config.max_cost
optional

Type: number

Default value: 0

A defined maximum cost per query. 0 means unlimited.
config.score_factor
optional

Type: number

Default value: 1

A scoring factor to multiply (or divide) the cost. The score_factor must always be greater than 0.
config.limit
required

Type: array of number elements

One or more requests-per-window limits to apply.
config.window_size
required

Type: array of number elements

One or more window sizes to apply a limit to (defined in seconds).
config.identifier
required

Type: string

Default value: consumer

How to define the rate limit key. Can be ip, credential, consumer.
config.header_name
semi-optional

Type: string

Header name to use as the rate limit key when the header identifier is defined.
config.dictionary_name
required

Type: string

Default value: kong_rate_limiting_counters

The shared dictionary where counters will be stored until the next sync cycle.
config.sync_rate
required

Type: number

How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.
config.namespace
optional

Type: string

Default value: random string

The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is shared in a namespace.
config.strategy

Type: string

Default value: cluster

The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are:

  • cluster: Counters are stored in the Kong datastore and shared across the nodes.
  • redis: Counters are stored on a Redis server and shared across the nodes.

In DB-less and hybrid modes, the cluster config strategy is not supported.

In Konnect Cloud, the default strategy is redis.

There is no local storage strategy. However, you can achieve local rate limiting by using a placeholder strategy value (either cluster or redis) and a sync_rate of -1. This setting stores counters in-memory on the node.

If using redis as the placeholder value, you must fill in all additional redis configuration parameters with placeholder values.

For details on which strategy should be used, refer to the implementation considerations.
config.redis.host
semi-optional

Type: string

Host to use for Redis connection when the redis strategy is defined.
config.redis.port
semi-optional

Type: integer

Port to use for Redis connection when the redis strategy is defined.
config.redis.ssl
optional

Type: boolean

Default value: false

If set to true, then uses SSL to connect to Redis.

Note: This parameter is only available for Kong Gateway versions 2.2.x and later.
config.redis.ssl_verify
optional

Type: boolean

Default value: false

If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your redis server. You may also need to configure lua_ssl_verify_depth accordingly.

Note: This parameter is only available for Kong Gateway versions 2.2.x and later.
config.redis.server_name
optional

Type: string

Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.

Note: This parameter is only available for Kong Gateway versions 2.2.x and later.
config.redis.timeout
semi-optional

Type: number

Default value: 2000

Connection timeout (in milliseconds) to use for Redis connection when the redis strategy is defined.
config.redis.username
semi-optional

Type: string

Username to use for Redis connection when the redis strategy is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed. This requires Redis v6.0.0+.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
config.redis.password
semi-optional

Type: string

Password to use for Redis connection when the redis strategy is defined. If undefined, no AUTH commands are sent to Redis.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
config.redis.database
semi-optional

Type: integer

Default value: 0

Database to use for Redis connection when the redis strategy is defined.
config.redis.sentinel_master
semi-optional

Type: string

Sentinel master to use for Redis connection when the redis strategy is defined. Defining this value implies using Redis Sentinel.
config.redis.sentinel_username
semi-optional

Type: string

Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
config.redis.sentinel_password
semi-optional

Type: string

Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.
config.redis.sentinel_role
semi-optional

Type: string

Sentinel role to use for Redis connection when the redis strategy is defined. Defining this value implies using Redis Sentinel.
config.redis.sentinel_addresses
semi-optional

Type: array of string elements

Sentinel addresses to use for Redis connection when the redis strategy is defined. Defining this value implies using Redis Sentinel.
config.redis.cluster_addresses
semi-optional

Type: array of string elements

Cluster addresses to use for Redis connection when the redis strategy is defined. Defining this value implies using Redis cluster.
config.redis.keepalive_backlog
optional

Type: integer

If specified, limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. Once the backlog queue is full, subsequent connect operations will fail and return nil. Queued connect operations resume once the number of connections in the pool is less than keepalive_pool_size. Note that queued connect operations are subject to set timeouts.
config.redis.keepalive_pool
optional

Type: string

Default value: generated from string template

The custom name of the connection pool. If not specified, the connection pool name is generated from the string template "<host>:<port>" or "<unix-socket-path>".
config.redis.keepalive_pool_size
optional

Type: integer

Default value: 30

The size limit for every cosocket connection pool associated with every remote server, per worker process. If no keepalive_pool_size is specified and no keepalive_backlog is specified, no pool is created. If no keepalive_pool_size is specified and keepalive_backlog is specified, then the pool uses the default value 30.
config.window_type
required

Type: string

Default value: sliding

Sets the time window to either sliding or fixed.
config.hide_client_headers
optional

Type: boolean

Default value: false

Optionally hide informative response headers. Available options: true or false.

Note: Redis configuration values are ignored if the cluster strategy is used.

Notes:

  • PostgreSQL 9.5+ is required when using the cluster strategy with postgres as the backing Kong cluster data store. This requirement varies from the PostgreSQL 9.4+ requirement as described in the Kong Community Edition documentation.

  • The dictionary_name directive was added to prevent the usage of the kong shared dictionary, which could lead to no memory errors.

The GraphQL Rate Limiting Advanced plugin is an extension of the Rate Limiting Advanced plugin and provides rate limiting for GraphQL queries.

Due to the nature of client-specified GraphQL queries, the same HTTP request to the same URL with the same method can vary greatly in cost depending on the semantics of the GraphQL operation in the body.

A common pattern to protect your GraphQL API is then to analyze and assign costs to incoming GraphQL queries and rate limit the consumer’s cost for a given time window.

Costs in GraphQL queries

GraphQL query costs are evaluated by introspecting the endpoint’s GraphQL schema and applying cost decoration to parts of the schema tree.

Initially all nodes start with zero cost, with any operation at cost 1. Add rate-limiting constraints on any subtree. If subtree omitted, then rate-limit window applies on the whole tree (any operation).

Since there are many ways of approximating the cost of a GraphQL query, the plugin exposes two strategies: default and node_quantifier.

The following example queries can be run on this SWAPI playground.

default

The default strategy is meant as a good middle ground for general GraphQL queries, where it’s difficult to assert a clear cost strategy, so every operation has a cost of 1.

query { # + 1
  allPeople {  # + 1
    people { # + 1
      name # + 1
    }
  }
}

# total cost: 4

Default node costs can be defined by decorating the schema:

type_path mul_arguments mul_constant add_arguments add_constant
Query.allPeople [“first”] 1 [] 1
Person.vehicleConnection [“first”] 1 [] 1 
query { # + 1
  allPeople(first:20) { # * 20 + 1
    people { # + 1
      name # + 1
      vehicleConnection(first:10) { # * 10 + 1
        vehicles { # + 1
          id  # + 1
          name # + 1
          cargoCapacity # + 1
        }
      }
    }
  }
}

# total cost: ((((4 * 10 + 1) + 1) + 1) * 20 + 1) + 1 = 862

Generally speaking, vehicleConnection weight (4) is applied 10 times, and the total weight of it (40) 20 times, which gives us a rough 800.

Cost constants can be atomically defined as:

type_path mul_arguments mul_constant add_arguments add_constant
Query.allPeople [“first”] 2 [] 2
Person.vehicleConnection [“first”] 1 [] 5
Vehicle.name [] 1 [] 8

On this example, Vehicle.name and Person.vehicleConnection have specific weights of 8 and 5 respectively. allPeople weights 2, and also has double its weight when multiplied by arguments.

query { # + 1
  allPeople(first:20) { # 2 * 20 + 2
    people { # + 1
      name # + 1
      vehicleConnection(first:10) { # * 10 + 5
        vehicles { # + 1
          id  # + 1
          name # + 8
          cargoCapacity # + 1
        }
      }
    }
  }
}

# total cost: ((((11 * 10 + 5) + 1) + 1) * 2 * 20 + 2) + 1 = 4683

node_quantifier

This strategy is fit for GraphQL schemas that enforce quantifier arguments on any connection, providing a good approximation on the number of nodes visited for satisfying a query. Any query without decorated quantifiers has a cost of 1. It is roughly based on github’s GraphQL resource limits.

query {
  allPeople(first:100) { # 1
    people {
      name
      vehicleConnection(first:10) { # 100
        vehicles {
          name
          filmConnection(first:5) { # 10 * 100
            films{
              title
              characterConnection(first:50) { # 5 * 10 * 100
                characters {
                  name
                }
              }
            }
          }
        }
      }
    }
  }
}
# total cost: 1 + 100 + 10 * 100 + 5 * 10 * 100 = 6101
type_path mul_arguments mul_constant add_arguments add_constant
Query.allPeople [“first”] 1 [] 1
Person.vehicleConnection [“first”] 1 [] 1
Vehicle.filmConnection [“first”] 1 [] 1
Film.characterConnection [“first”] 1 [] 1

Roughly speaking:

  • allPeople returns 100 nodes, and has been called once
  • vehicleConnection returns 10 nodes, and has been called 100 times
  • filmConnection returns 5 nodes, and has been called 10 * 100 times
  • characterConnection returns 50 nodes, and has been called 5 * 10 * 100 times

Specific costs per node can be specified by adding a constant:

type_path mul_arguments mul_constant add_arguments add_constant
Query.allPeople [“first”] 1 [] 1
Person.vehicleConnection [“first”] 1 [] 42
Vehicle.filmConnection [“first”] 1 [] 1
Film.characterConnection [“first”] 1 [] 1 
query {
  allPeople(first:100) { # 1
    people {
      name
      vehicleConnection(first:10) { # 100 * 42
        vehicles {
          name
          filmConnection(first:5) { # 10 * 100
            films{
              title
              characterConnection(first:50) { # 5 * 10 * 100
                characters {
                  name
                }
              }
            }
          }
        }
      }
    }
  }
}
# total cost: 1 + 100 * 42 + 10 * 100 + 5 * 10 * 100 = 10201

Usage

The following configuration example targets a GraphQL endpoint at our SWAPI playground.

Add a GraphQL service and route

curl -X POST http://kong:8001/services \
  --data "name=example" \
  --data "host=mockbin.org" \
  --data "port=443" \
  --data "protocol=https"

curl -X POST http://kong:8001/services/example/routes \
  --data "hosts=example.com"

Enable the plugin on the service

Example using a single time window:

curl -i -X POST http://kong:8001/services/example/plugins \
  --data name=graphql-rate-limiting-advanced \
  --data config.limit=100 \
  --data config.window_size=60 \
  --data config.sync_rate=10

Example using multiple time windows:

curl -i -X POST --url http://kong:8001/services/example/plugins \
  --data 'name=graphql-rate-limiting-advanced' \
  --data 'config.window_size[]=60' \
  --data 'config.window_size[]=3600' \
  --data 'config.limit[]=10' \
  --data 'config.limit[]=100' \
  --data 'config.sync_rate=10'

Decorate gql schema for costs

Cost decoration schema looks like:

Form Parameter default description
type_path   Path to node to decorate
add_constant 1 Node weight when added
add_arguments [] List of arguments to add to add_constant
mul_constant 1 Node weight multiplier value
mul_arguments [] List of arguments that multiply weight

Cost decoration is available on the following routes:

/services/{service}/graphql-rate-limiting-advanced/costs

  • GET: list of costs associated to a service schema
  • PUT, POST: add a cost to a service schema

For example:

curl -X POST http://kong:8001/services/example/graphql-rate-limiting-advanced/costs \
  --data type_path="Query.allPeople" \
  --data mul_arguments="first"


curl -X POST http://kong:8001/services/example/graphql-rate-limiting-advanced/costs \
  --data type_path="Person.vehicleConnection" \
  --data mul_arguments="first"
  --data add_constant=42

curl -X POST http://kong:8001/services/example/graphql-rate-limiting-advanced/costs \
  --data type_path="Vehicle.filmConnection" \
  --data mul_arguments="first"


curl -X POST http://kong:8001/services/example/graphql-rate-limiting-advanced/costs \
  --data type_path="Film.characterConnection" \
  --data mul_arguments="first"

/graphql-rate-limiting-advanced/costs

  • GET: list of all costs on any service
  • PUT, POST: add a cost to a service schema

/graphql-rate-limiting-advanced/costs/{cost_id}

  • GET: get cost associated by id
  • PATCH: modify cost associated by id
  • DELETE: delete cost associated by id

Changing the default strategy

curl -X POST http://kong:8001/services/example/plugins \
  --data name=graphql-rate-limiting-advanced \
  --data config.limit=100 \
  --data config.limit=10000 \
  --data config.window_size=60 \
  --data config.window_size=3600 \
  --data config.sync_rate=10 \
  --data config.cost_strategy=default

curl -i -X PATCH http://kong:8001/plugins/{plugin_id} \
  --data config.cost_strategy=node_quantifier

Limit query cost by using config.max_cost

It’s usually a good idea to define a maximum cost applied to any query, regardless if the call is within the rate limits for a consumer.

By defining a max_cost on our service, we are ensuring no query will run with a cost higher than our set max_cost. By default it’s set to 0, which means no limit.

curl -X POST http://kong:8001/services/example/plugins \
  --data name=graphql-rate-limiting-advanced \
  --data config.limit=100 \
  --data config.limit=10000 \
  --data config.window_size=60 \
  --data config.window_size=3600 \
  --data config.sync_rate=0 \
  --data config.max_cost=5000

To update max_cost:

curl -X PATCH http://kong:8001/plugins/{plugin_id} \
  --data config.max_cost=10000

Using config.score_factor to modify costs

GraphQL query cost depends on multiple factors based on our resolvers and the implementation of the schema. Cost on queries, depending on the cost strategy might turn very high when using quantifiers, or very low with no quantifiers at all. By using config.score_factor the cost can be divided or multiplied to a certain order of magnitude.

For example, a score_factor of 0.01 will divide the costs by 100, meaning every cost unit represents 100 nodes.

curl -X POST http://kong:8001/services/example/plugins \
  --data name=graphql-rate-limiting-advanced \
  --data config.limit=100 \
  --data config.limit=10000 \
  --data config.window_size=60 \
  --data config.window_size=3600 \
  --data config.sync_rate=0 \
  --data config.max_cost=5000 \
  --data config.score_factor=0.01

To update score_factor:

curl -i -X PATCH http://kong:8001/plugins/{plugin_id} \
  --data config.score_factor=1

Changelog

Kong Gateway 2.8.x (plugin version 0.2.5)

  • Added the redis.username and redis.sentinel_username configuration parameters.

  • The redis.username, redis.password, redis.sentinel_username, and redis.sentinel_password configuration fields are now marked as referenceable, which means they can be securely stored as secrets in a vault. References must follow a specific format.

  • Fixed plugin versions in the documentation. Previously, the plugin versions were labelled as 1.3-x and 2.3.x. They are now updated to align with the plugin’s actual versions, 0.1.x and 0.2.x.