Skip to content
|
search
Plugin Hub
header icon

Rate Limiting Advanced

The Rate Limiting Advanced plugin for Konnect Enterprise is a re-engineered version of the Kong Gateway (OSS) Rate Limiting plugin.

As compared to the standard Rate Limiting plugin, Rate Limiting Advanced provides:

  • Enhanced capabilities to tune the rate limiter, provided by the parameters limit and window_size. Learn more in Multiple Limits and Window Sizes
  • Support for Redis Sentinel, Redis cluster, and Redis SSL
  • Increased performance: Rate Limiting Advanced has better throughput performance with better accuracy. The plugin allows you to tune performance and accuracy via a configurable synchronization of counter data with the backend storage. This can be controlled by setting the desired value on the sync_rate parameter.
  • More limiting algorithms to choose from: These algorithms are more accurate and they enable configuration with more specificity. Learn more about our algorithms in How to Design a Scalable Rate Limiting Algorithm.
  • Consumer groups support: Apply different rate limiting configurations to select groups of consumers. Learn more in Rate limiting for consumer groups
  • More control over which requests contribute to incrementing the rate limiting counters via the disable_penalty parameter

Configuration Reference

This plugin is partially compatible with DB-less mode.

In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:

  • Setting a target's health status in the load balancer
  • Validating configurations against schemas
  • Uploading the declarative configuration using the /config endpoint

The cluster strategy is not supported in DB-less and hybrid modes. For Kong Gateway in DB-less or hybrid mode, the redis strategy is the only available option to configure the plugin with a central data store.

Note: We recommend setting namespace to a static value in DB-less mode. The namespace will be regenerated on every configuration change if not explicitly set, resetting counters to zero.

Example plugin configuration

The following examples provide some typical configurations for enabling the rate-limiting-advanced plugin on a service.

Make the following request:

curl -X POST http://localhost:8001/services/SERVICE_NAME|SERVICE_ID/plugins \
    --data "name=rate-limiting-advanced"  \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.sync_rate=-1" \
    --data "config.namespace=example_namespace" \
    --data "config.strategy=local" \
    --data "config.hide_client_headers=false" \
    --data "config.enforce_consumer_groups=true" \
    --data "config.consumer_groups=group1" \
    --data "config.consumer_groups=group2"

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limiting-advanced-example
config: 
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  sync_rate: -1
  namespace: example_namespace
  strategy: local
  hide_client_headers: false
  enforce_consumer_groups: true
  consumer_groups:
  - group1
  - group2
plugin: rate-limiting-advanced

Next, apply the KongPlugin resource to a service by annotating the service as follows:

apiVersion: v1
kind: Service
metadata:
  name: SERVICE_NAME|SERVICE_ID
  labels:
    app: SERVICE_NAME|SERVICE_ID
  annotations:
    konghq.com/plugins: rate-limiting-advanced-example
spec:
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
    name: SERVICE_NAME|SERVICE_ID
  selector:
    app: SERVICE_NAME|SERVICE_ID

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: rate-limiting-advanced
  service: SERVICE_NAME|SERVICE_ID
  config: 
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    sync_rate: -1
    namespace: example_namespace
    strategy: local
    hide_client_headers: false
    enforce_consumer_groups: true
    consumer_groups:
    - group1
    - group2

Replace SERVICE_NAME|SERVICE_ID with the id or name of the service that this plugin configuration will target.

You can configure this plugin through the Konnect UI.

From the servicehub icon Service Hub, select a service version, then set up the plugin:

  1. In the Plugins section, click Add Plugin.
  2. Find and select the Rate Limiting Advanced plugin.

  3. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  4. Click Create.

You can configure this plugin through the Kong Manager UI.

  1. In Kong Manager, select the workspace.
  2. From the Services section, click View for the service row.
  3. From the plugin section, click Add Plugin.
  4. Find and select the Rate Limiting Advanced plugin.
    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the service name and ID to the Service field if it is not already pre-filled.

  7. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  8. Click Create.

The following examples provide some typical configurations for enabling the rate-limiting-advanced plugin on a route.

Make the following request:

curl -X POST http://localhost:8001/routes/ROUTE_NAME|ROUTE_ID/plugins \
  --data "name=rate-limiting-advanced"  \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.sync_rate=-1" \
    --data "config.namespace=example_namespace" \
    --data "config.strategy=local" \
    --data "config.hide_client_headers=false" \
    --data "config.enforce_consumer_groups=true" \
    --data "config.consumer_groups=group1" \
    --data "config.consumer_groups=group2"

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limiting-advanced-example
config: 
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  sync_rate: -1
  namespace: example_namespace
  strategy: local
  hide_client_headers: false
  enforce_consumer_groups: true
  consumer_groups:
  - group1
  - group2
plugin: rate-limiting-advanced

Then, apply it to an ingress (route or routes) by annotating the ingress as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ROUTE_NAME|ROUTE_ID
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/plugins: rate-limiting-advanced-example
spec:
  rules:
  - host: examplehostname.com
    http:
      paths:
      - path: /bar
        backend:
          service:
            name: echo
            port:
              number: 80

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: rate-limiting-advanced
  route: ROUTE_NAME
  config: 
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    sync_rate: -1
    namespace: example_namespace
    strategy: local
    hide_client_headers: false
    enforce_consumer_groups: true
    consumer_groups:
    - group1
    - group2

Replace ROUTE_NAME|ROUTE_ID with the id or name of the route that this plugin configuration will target.

You can configure this plugin through the Konnect UI.

From the servicehub icon Service Hub, select a service version, then set up the plugin:

  1. Select a route.
  2. In the Plugins section, click Add Plugin.
  3. Find and select the Rate Limiting Advanced plugin.

  4. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  5. Click Create.

You can configure this plugin through the Kong Manager UI.

  1. In Kong Manager, select the workspace.
  2. Open Routes from the menu, then click View for the route row.
  3. From the plugin section, click Add Plugin.
  4. Find and select the Rate Limiting Advanced plugin.
    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the route ID if it is not already prefilled.

  7. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  8. Click Create.

The following examples provide some typical configurations for enabling the rate-limiting-advanced plugin on a consumer.

Make the following request:

curl -X POST http://localhost:8001/consumers/CONSUMER_NAME|CONSUMER_ID/plugins \
  --data "name=rate-limiting-advanced"  \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.sync_rate=-1" \
    --data "config.namespace=example_namespace" \
    --data "config.strategy=local" \
    --data "config.hide_client_headers=false" \
    --data "config.enforce_consumer_groups=true" \
    --data "config.consumer_groups=group1" \
    --data "config.consumer_groups=group2"

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

You can combine consumer.id, service.id, or route.id in the same request, to further narrow the scope of the plugin.

First, create a KongPlugin resource:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: rate-limiting-advanced-example
config: 
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  sync_rate: -1
  namespace: example_namespace
  strategy: local
  hide_client_headers: false
  enforce_consumer_groups: true
  consumer_groups:
  - group1
  - group2
plugin: rate-limiting-advanced

Then, apply it to a consumer by annotating the KongConsumer resource as follows:

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: CONSUMER_NAME|CONSUMER_ID
  annotations:
    konghq.com/plugins: rate-limiting-advanced-example
    kubernetes.io/ingress.class: kong

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

Note: The KongPlugin resource only needs to be defined once and can be applied to any service, consumer, or route in the namespace. If you want the plugin to be available cluster-wide, create the resource as a KongClusterPlugin instead of KongPlugin.

Add this section to your declarative configuration file:

plugins:
- name: rate-limiting-advanced
  consumer: CONSUMER_NAME|CONSUMER_ID
  config: 
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    sync_rate: -1
    namespace: example_namespace
    strategy: local
    hide_client_headers: false
    enforce_consumer_groups: true
    consumer_groups:
    - group1
    - group2

Replace CONSUMER_NAME|CONSUMER_ID with the id or name of the consumer that this plugin configuration will target.

You can configure this plugin through the Kong Manager UI.

  1. In Kong Manager, select the workspace.
  2. From the Consumers section, click View for the consumer row.
  3. Select the Plugins tab, then click Add Plugin.
  4. Find and select the Rate Limiting Advanced plugin.
    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  5. If the option is available, select Scoped.
  6. Add the consumer ID if it is not already prefilled.

  7. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  8. Click Create.

A plugin which is not associated to any service, route, or consumer is considered global, and will be run on every request. Read the Plugin Reference and the Plugin Precedence sections for more information.

The following examples provide some typical configurations for enabling the rate-limiting-advanced plugin globally.

Make the following request:

curl -X POST http://localhost:8001/plugins/ \
  --data "name=rate-limiting-advanced"  \
    --data "config.limit=5" \
    --data "config.window_size=30" \
    --data "config.identifier=consumer" \
    --data "config.sync_rate=-1" \
    --data "config.namespace=example_namespace" \
    --data "config.strategy=local" \
    --data "config.hide_client_headers=false" \
    --data "config.enforce_consumer_groups=true" \
    --data "config.consumer_groups=group1" \
    --data "config.consumer_groups=group2"

Create a KongClusterPlugin resource and label it as global:

apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: <global-rate-limiting-advanced>
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: \"true\"
config: 
  limit:
  - 5
  window_size:
  - 30
  identifier: consumer
  sync_rate: -1
  namespace: example_namespace
  strategy: local
  hide_client_headers: false
  enforce_consumer_groups: true
  consumer_groups:
  - group1
  - group2
plugin: rate-limiting-advanced

Add a plugins entry in the declarative configuration file:

plugins:
- name: rate-limiting-advanced
  config: 
    limit:
    - 5
    window_size:
    - 30
    identifier: consumer
    sync_rate: -1
    namespace: example_namespace
    strategy: local
    hide_client_headers: false
    enforce_consumer_groups: true
    consumer_groups:
    - group1
    - group2

You can configure this plugin through the Kong Manager UI.

  1. In Kong Manager, select the workspace.
  2. Open Plugins from the menu, then click New Plugin.
  3. Find and select the Rate Limiting Advanced plugin.
    Note: If the plugin is greyed out, then it is not available for your product tier. See Kong Gateway tiers.
  4. If the option is available, set the plugin scope to Global.

  5. Configure the plugin’s parameters.

    You can test out the plugin with the following sample configuration:

    • Config.Limit: 5
    • Config.Window Size: 30
    • Config.Identifier: consumer
    • Config.Sync Rate: -1
    • Config.Strategy: local
  6. Click Create.

Parameters

Here's a list of all the parameters which can be used in this plugin's configuration:

Form Parameter Description
name
required

Type: string		 The name of the plugin, in this case rate-limiting-advanced.
service.name or service.id

Type: string		 The name or ID of the service the plugin targets.

Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint.

Not required if using /services/SERVICE_NAME|SERVICE_ID/plugins.
route.name or route.id

Type: string		 The name or ID of the route the plugin targets.

Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint.

Not required if using /routes/ROUTE_NAME|ROUTE_ID/plugins.
consumer.name or consumer.id

Type: string		 The name or ID of the consumer the plugin targets.

Set one of these parameters if adding the plugin to a consumer through the top-level /plugins endpoint.

Not required if using /consumers/CONSUMER_NAME|CONSUMER_ID/plugins.
enabled

Type: boolean

Default value: true		 Whether this plugin will be applied.
config.limit
required

Type: array of number elements

One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.
config.window_size
required

Type: array of number elements

One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.
config.identifier
required

Type: string

Default value: consumer

The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be ip, credential, consumer, service, header, or path.
config.path
semi-optional

Type: string

Request path to use as the rate limit key when config.identifier is configured with the value path. Ignored when config.identifier has any other value.
config.header_name
semi-optional

Type: string

Header name to use as the rate limit key when config.identifier is configured with the value header. Ignored when config.identifier is not header.
config.dictionary_name
required

Type: string

Default value: kong_rate_limiting_counters

The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is config.strategy is cluster or redis and config.sync_rate isn’t -1), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.
config.sync_rate
required

Type: number

How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).
config.namespace
semi-optional

Type: string

Default value: random_auto_generated_string

The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.

Important: If managing Kong Gateway with declarative configuration or running Kong Gateway in DB-less mode, set the namespace explicitly in your declarative configuration.

If not set, you will run into the following issues:

  • In DB-less mode, this field will be regenerated automatically on every configuration change.
  • If applying declarative configuration with decK, decK will automatically fail the update and require a namespace value.
config.strategy
required

Type: string

Default value: local

The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are:

  • local: Counters are stored locally in-memory on the node (same effect as setting sync_rate to -1).
  • cluster: Counters are stored in the Kong datastore and shared across the nodes.
  • redis: Counters are stored on a Redis server and shared across the nodes.

In DB-less and hybrid modes, the cluster config strategy is not supported. From 3.0.0.0 onwards, Kong disallows the plugin enablement if cluster strategy is set with DB-less or hybrid mode.

In Konnect, the default strategy is redis.

For details on which strategy should be used, refer to the implementation considerations.
config.hide_client_headers
optional

Type: boolean

Default value: false

Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters as described in the paragraph Headers sent to the client. Available options: true or false.
config.redis.host
semi-optional

Type: string

Host to use for Redis connection when the redis strategy is defined. This parameter accepts a hostname or an IP address as a value.
config.redis.port
semi-optional

Type: integer

Default value: 6379

Specifies the Redis server port when using the redis strategy. Must be a value between 0 and 65535. Default: 6379.
config.redis.ssl
optional

Type: boolean

Default value: false

If set to true, then uses SSL to connect to Redis.
config.redis.ssl_verify
optional

Type: boolean

Default value: false

If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your redis server. You may also need to configure lua_ssl_verify_depth accordingly.
config.redis.server_name
optional

Type: string

Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.
config.redis.timeout
semi-optional

Type: number

Default value: 2000

Connection timeout (in milliseconds) to use for Redis connection when the redis strategy is defined. This field is deprecated and replaced with redis.connect_timeout, redis.send_timeout, and redis.read_timeout. The redis.timeout field will continue to work in a backwards compatible way, but it is recommended to use the replacement fields. If set to something other than the default, a deprecation warning will be logged in the log file, stating the field’s deprecation and planned removal in v3.x.x.
config.redis.connect_timeout
semi-optional

Type: number

Default value: 2000

Connection timeout to use for Redis connection when the redis strategy is defined.
config.redis.send_timeout
semi-optional

Type: number

Default value: 2000

Send timeout to use for Redis connection when the redis strategy is defined.
config.redis.read_timeout
semi-optional

Type: number

Default value: 2000

Read timeout to use for Redis connection when the redis strategy is defined.
config.redis.username
semi-optional

Type: string

Username to use for Redis connection when the redis strategy is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed.

This requires Redis v6.0.0+. The username cannot be set to default.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.redis.password
semi-optional

Type: string

Password to use for Redis connection when the redis strategy is defined. If undefined, no AUTH commands are sent to Redis.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.redis.database
semi-optional

Type: integer

Default value: 0

Database to use for Redis connection when the redis strategy is defined.
config.redis.sentinel_master
semi-optional

Type: string

Sentinel master to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.
config.redis.sentinel_username
semi-optional

Type: string

Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.redis.sentinel_password
semi-optional

Type: string

Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.

This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format.

config.redis.sentinel_role
semi-optional

Type: string

Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel. Available options: master, slave, any.
config.redis.sentinel_addresses
semi-optional

Type: array of string elements

Sentinel addresses to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel. Each string element must consist of a hostname (or IP address) and port. The minimum length of the array is 1 element.
config.redis.cluster_addresses
semi-optional

Type: array of string elements

Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis cluster. Each string element must consist of a hostname (or IP address) and port. The minimum length of the array is 1 element.
config.redis.keepalive_backlog
optional

Type: integer

If specified, limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. Once the backlog queue is full, subsequent connect operations will fail and return nil. Queued connect operations resume once the number of connections in the pool is less than keepalive_pool_size. Note that queued connect operations are subject to set timeouts.
config.redis.keepalive_pool
optional

Type: string

Default value: generated from string template

The custom name of the connection pool. If not specified, the connection pool name is generated from the string template "<host>:<port>" or "<unix-socket-path>".
config.redis.keepalive_pool_size
optional

Type: integer

Default value: 30

The size limit for every cosocket connection pool associated with every remote server, per worker process. If no keepalive_pool_size is specified and no keepalive_backlog is specified, no pool is created. If no keepalive_pool_size is specified and keepalive_backlog is specified, then the pool uses the default value 30.
config.window_type
required

Type: string

Default value: sliding

Sets the time window type to either sliding (default) or fixed. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window’s counters. For more information refer to the Enterprise Rate Limiting Library Overview.
config.retry_after_jitter_max
required

Type: number

Default value: 0

The upper bound of a jitter (random delay) in seconds to be added to the Retry-After header of denied requests (status = 429) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is 0; in this case, the Retry-After header is equal to the RateLimit-Reset header.
config.enforce_consumer_groups
optional

Type: boolean

Default value: false

Set to true to enable consumer_groups, which allows the settings from one of the allowed consumer groups to override the given plugin configuration.
config.consumer_groups
semi-optional

Type: array of string elements

List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if enforce_consumer_groups is set to true.

Flipping enforce_consumer_groups from true to false disables the group override, but does not clear the list of consumer groups. You can then flip enforce_consumer_groups to true to re-enforce the groups.
config.disable_penalty
optional

Type: boolean

Default value: false

If set to true, this doesn’t count denied requests (status = 429). If set to false, all requests, including denied ones, are counted. This parameter only affects the sliding window_type.
config.error_code
optional

Type: number

Default value: 429

Set a custom error code to return when the rate limit is exceeded.
config.error_message
optional

Type: string

Default value: rate limit exceeded

Set a custom error message to return when the rate limit is exceeded.

Notes:

  • The plugin does not support the cluster strategy in hybrid mode. The redis strategy must be used instead.

  • Redis configuration values are ignored if the cluster strategy is used.

  • PostgreSQL 9.5+ is required when using the cluster strategy with postgres as the backing Kong cluster data store.

  • The dictionary_name directive was added to prevent the usage of the kong shared dictionary, which could lead to no memory errors.

Headers sent to the client

When this plugin is enabled, Kong sends some additional headers back to the client indicating the allowed limits, how many requests are available, and how long it will take until the quota will be restored.

For example:

RateLimit-Limit: 6
RateLimit-Remaining: 4
RateLimit-Reset: 47

The plugin also sends headers indicating the limits in the time frame and the number of remaining minutes:

X-RateLimit-Limit-Minute: 10
X-RateLimit-Remaining-Minute: 9

You can optionally hide the limit and remaining headers with the hide_client_headers option.

If more than one limit is being set, the plugin returns a combination of more time limits:

X-RateLimit-Limit-Second: 5
X-RateLimit-Remaining-Second: 4
X-RateLimit-Limit-Minute: 10
X-RateLimit-Remaining-Minute: 9

If any of the limits configured has been reached, the plugin returns an HTTP/1.1 429 status code to the client with the following JSON body:

{ "message": "API rate limit exceeded" }

The Retry-After header will be present on 429 errors to indicate how long the service is expected to be unavailable to the client. When using window_type=sliding and RateLimit-Reset, Retry-After may increase due to the rate calculation for the sliding window.

The headers RateLimit-Limit, RateLimit-Remaining, and RateLimit-Reset are based on the Internet-Draft RateLimit Header Fields for HTTP and may change in the future to respect specification updates.

Multiple Limits and Window Sizes

An arbitrary number of limits/window sizes can be applied per plugin instance. This allows you to create multiple rate limiting windows (e.g., rate limit per minute and per hour, and per any arbitrary window size). Because of limitations with Kong’s plugin configuration interface, each nth limit will apply to each nth window size. For example:

curl -X POST http://
{LOCALHOST}
:8001/services/
{SERVICE}
/plugins \
  --data "name=rate-limiting-advanced" \
  --data "config.limit=10" \
  --data "config.limit=100" \
  --data "config.window_size=60" \
  --data "config.window_size=3600"

This example applies rate limiting policies, one of which will trip when 10 hits have been counted in 60 seconds, or the other when 100 hits have been counted in 3600 seconds. For more information, see the Enterprise Rate Limiting Library.

The number of configured window sizes and limits parameters must be equal (as shown above); otherwise, an error occurs:

You must provide the same number of windows and limits

Fallback to IP

When the selected strategy cannot be retrieved, the rate-limiting-advanced plugin will fall back to limit using IP as the identifier. This can happen for several reasons, such as the selected header was not sent by the client or the configured service was not found.

Fallback from Redis

When the redis strategy is used and a Kong Gateway node is disconnected from Redis, the rate-limiting-advanced plugin will fall back to local. This can happen when the Redis server is down or the connection to Redis broken. Kong Gateway keeps the local counters for rate limiting and syncs with Redis once the connection is re-established. Kong Gateway will still rate limit, but the Kong Gateway nodes can’t sync the counters. As a result, users will be able to perform more requests than the limit, but there will still be a limit per node.

Rate limiting for consumer groups

You can use consumer groups to manage custom rate limiting configuration for subsets of consumers. To use consumer groups, you’ll need to configure the following parameters:

  • config.enforce_consumer_groups: Set to true.
  • config.consumer_groups: Provide a list of consumer groups that this plugin allows overrides for.

For guides on working with consumer groups, see the consumer group examples and API reference in the Admin API documentation.

Changelog

Kong Gateway 3.1.x

  • Added the ability to customize the error code and message with the configuration parameters error_code and error_message.

Kong Gateway 3.0.x

  • Kong Gateway now disallows enabling the plugin if the cluster strategy is set with DB-less or hybrid mode.

Kong Gateway 2.8.x

  • Added the redis.username and redis.sentinel_username configuration parameters.

  • The redis.username, redis.password, redis.sentinel_username, and redis.sentinel_password configuration fields are now marked as referenceable, which means they can be securely stored as secrets in a vault. References must follow a specific format.

Kong Gateway 2.7.x

  • Added the enforce_consumer_groups and consumer_groups configuration parameters.

Kong Gateway 2.5.x

  • Deprecated the timeout field and replaces it with three precise options: connect_timeout, read_timeout, and send_timeout.
  • Added redis.keepalive_pool, redis.keepalive_pool_size, and redis.keepalive_backlog configuration options.
  • ssl_verify and server_name configuration options now support Redis Sentinel-based connections.

Kong Gateway 2.2.x

  • Added the redis.ssl, redis.ssl_verify, and redis.server_name parameters for configuring TLS connections.