The Rate Limiting Advanced plugin for Konnect Enterprise is a re-engineered version of the Kong Gateway (OSS) Rate Limiting plugin.
As compared to the standard Rate Limiting plugin, Rate Limiting Advanced provides:
- Enhanced capabilities to tune the rate limiter, provided by the parameters
limit
andwindow_size
. Learn more in Multiple Limits and Window Sizes - Support for Redis Sentinel, Redis cluster, and Redis SSL
- Increased performance: Rate Limiting Advanced has better throughput performance with better accuracy. The plugin allows you to tune performance and accuracy via a configurable synchronization of counter data with the backend storage. This can be controlled by setting the desired value on the
sync_rate
parameter. - More limiting algorithms to choose from: These algorithms are more accurate and they enable configuration with more specificity. Learn more about our algorithms in How to Design a Scalable Rate Limiting Algorithm.
- Consumer groups support: Apply different rate limiting configurations to select groups of consumers. Learn more in Rate limiting for consumer groups
- More control over which requests contribute to incrementing the rate limiting counters via the
disable_penalty
parameter
Configuration Reference
This plugin is partially compatible with DB-less mode.
In DB-less mode, you configure Kong Gateway declaratively. Therefore, the Admin API is mostly read-only. The only tasks it can perform are all related to handling the declarative config, including:
- Setting a target's health status in the load balancer
- Validating configurations against schemas
- Uploading the declarative configuration using the
/config
endpoint
The cluster strategy is not supported in DB-less and hybrid modes. For Kong
Gateway in DB-less or hybrid mode, the redis
strategy is the only available option to configure the plugin with a central data store.
Note: We recommend setting
namespace
to a static value in DB-less mode. Thenamespace
will be regenerated on every configuration change if not explicitly set, resetting counters to zero.
Example plugin configuration
Parameters
Here's a list of all the parameters which can be used in this plugin's configuration:
Form Parameter | Description |
---|---|
name
required Type: string |
The name of the plugin, in this case rate-limiting-advanced . |
service.name or service.id
Type: string |
The name or ID of the service the plugin targets.
Set one of these parameters if adding the plugin to a service through the top-level /plugins endpoint.
Not required if using /services/SERVICE_NAME|SERVICE_ID/plugins . |
route.name or route.id
Type: string |
The name or ID of the route the plugin targets.
Set one of these parameters if adding the plugin to a route through the top-level /plugins endpoint.
Not required if using /routes/ROUTE_NAME|ROUTE_ID/plugins . |
consumer.name or consumer.id
Type: string |
The name or ID of the consumer the plugin targets.
Set one of these parameters if adding the plugin to a consumer through the top-level /plugins endpoint.
Not required if using /consumers/CONSUMER_NAME|CONSUMER_ID/plugins . |
enabled
Type: boolean Default value: true |
Whether this plugin will be applied. |
config.limit
required Type: array of number elements |
One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified. |
config.window_size
required Type: array of number elements |
One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified. |
config.identifier
required Type: string Default value: consumer
|
The type of identifier used to generate the rate limit key.
Defines the scope used to increment the rate limiting counters.
Can be |
config.path
semi-optional Type: string |
Request path to use as the rate limit key when |
config.header_name
semi-optional Type: string |
Header name to use as the rate limit key when |
config.dictionary_name
required Type: string Default value: kong_rate_limiting_counters
|
The shared dictionary where counters are stored. When the plugin is
configured to synchronize counter data externally (that is
|
config.sync_rate
required Type: number |
How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms). |
config.namespace
semi-optional Type: string Default value: random_auto_generated_string
|
The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace.
|
config.strategy
required Type: string Default value: local
|
The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are:
In DB-less and hybrid modes, the In Konnect, the default strategy is For details on which strategy should be used, refer to the implementation considerations. |
config.hide_client_headers
optional Type: boolean Default value: false
|
Optionally hide informative response headers that would otherwise
provide information about the current status of limits and counters as
described in the paragraph Headers sent to the client.
Available options: |
config.redis.host
semi-optional Type: string |
Host to use for Redis connection when the |
config.redis.port
semi-optional Type: integer Default value: 6379
|
Specifies the Redis server port when using the |
config.redis.ssl
optional Type: boolean Default value: false
|
If set to true, then uses SSL to connect to Redis. |
config.redis.ssl_verify
optional Type: boolean Default value: false
|
If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your redis server. You may also need to configure lua_ssl_verify_depth accordingly. |
config.redis.server_name
optional Type: string |
Specifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL. |
config.redis.timeout
semi-optional Type: number Default value: 2000
|
Connection timeout (in milliseconds) to use for Redis connection when the |
config.redis.connect_timeout
semi-optional Type: number Default value: 2000
|
Connection timeout to use for Redis connection when the |
config.redis.send_timeout
semi-optional Type: number Default value: 2000
|
Send timeout to use for Redis connection when the |
config.redis.read_timeout
semi-optional Type: number Default value: 2000
|
Read timeout to use for Redis connection when the |
config.redis.username
semi-optional Type: string |
Username to use for Redis connection when the This requires Redis v6.0.0+. The username cannot be set to This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format. |
config.redis.password
semi-optional Type: string |
Password to use for Redis connection when the This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format. |
config.redis.database
semi-optional Type: integer Default value: 0
|
Database to use for Redis connection when the |
config.redis.sentinel_master
semi-optional Type: string |
Sentinel master to use for Redis connections when the |
config.redis.sentinel_username
semi-optional Type: string |
Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication will not be performed. This requires Redis v6.2.0+. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format. |
config.redis.sentinel_password
semi-optional Type: string |
Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels. This field is referenceable, which means it can be securely stored as a secret in a vault. References must follow a specific format. |
config.redis.sentinel_role
semi-optional Type: string |
Sentinel role to use for Redis connections when the |
config.redis.sentinel_addresses
semi-optional Type: array of string elements |
Sentinel addresses to use for Redis connections when the |
config.redis.cluster_addresses
semi-optional Type: array of string elements |
Cluster addresses to use for Redis connections when the |
config.redis.keepalive_backlog
optional Type: integer |
If specified, limits the total number of opened connections for a pool. If the
connection pool is full, all connection queues beyond the maximum limit go into
the backlog queue. Once the backlog queue is full, subsequent connect operations
will fail and return |
config.redis.keepalive_pool
optional Type: string Default value: generated from string template
|
The custom name of the connection pool. If not specified, the connection pool
name is generated from the string template |
config.redis.keepalive_pool_size
optional Type: integer Default value: 30
|
The size limit for every cosocket connection pool associated with every remote
server, per worker process. If no |
config.window_type
required Type: string Default value: sliding
|
Sets the time window type to either |
config.retry_after_jitter_max
required Type: number Default value: 0
|
The upper bound of a jitter (random delay) in seconds to be added to the |
config.enforce_consumer_groups
optional Type: boolean Default value: false
|
Set to |
config.consumer_groups
semi-optional Type: array of string elements |
List of consumer groups allowed to override the rate limiting
settings for the given Route or Service. Required if
Flipping |
config.disable_penalty
optional Type: boolean Default value: false
|
If set to |
config.error_code
optional Type: number Default value: 429
|
Set a custom error code to return when the rate limit is exceeded. |
config.error_message
optional Type: string Default value: rate limit exceeded
|
Set a custom error message to return when the rate limit is exceeded. |
Notes:
-
The plugin does not support the
cluster
strategy in hybrid mode. Theredis
strategy must be used instead. -
Redis configuration values are ignored if the
cluster
strategy is used. -
PostgreSQL 9.5+ is required when using the
cluster
strategy withpostgres
as the backing Kong cluster data store. -
The
dictionary_name
directive was added to prevent the usage of thekong
shared dictionary, which could lead tono memory
errors.
Headers sent to the client
When this plugin is enabled, Kong sends some additional headers back to the client indicating the allowed limits, how many requests are available, and how long it will take until the quota will be restored.
For example:
RateLimit-Limit: 6
RateLimit-Remaining: 4
RateLimit-Reset: 47
The plugin also sends headers indicating the limits in the time frame and the number of remaining minutes:
X-RateLimit-Limit-Minute: 10
X-RateLimit-Remaining-Minute: 9
You can optionally hide the limit and remaining headers with the hide_client_headers
option.
If more than one limit is being set, the plugin returns a combination of more time limits:
X-RateLimit-Limit-Second: 5
X-RateLimit-Remaining-Second: 4
X-RateLimit-Limit-Minute: 10
X-RateLimit-Remaining-Minute: 9
If any of the limits configured has been reached, the plugin returns an HTTP/1.1 429
status
code to the client with the following JSON body:
{ "message": "API rate limit exceeded" }
The Retry-After
header will be present on 429
errors to indicate how long the service is
expected to be unavailable to the client. When using window_type=sliding
and RateLimit-Reset
, Retry-After
may increase due to the rate calculation for the sliding window.
The headers
RateLimit-Limit
,RateLimit-Remaining
, andRateLimit-Reset
are based on the Internet-Draft RateLimit Header Fields for HTTP and may change in the future to respect specification updates.
Multiple Limits and Window Sizes
An arbitrary number of limits/window sizes can be applied per plugin instance. This allows you to create multiple rate limiting windows (e.g., rate limit per minute and per hour, and per any arbitrary window size). Because of limitations with Kong’s plugin configuration interface, each nth limit will apply to each nth window size. For example:
curl -X POST http://{LOCALHOST}:8001/services/{SERVICE}/plugins \
--data "name=rate-limiting-advanced" \
--data "config.limit=10" \
--data "config.limit=100" \
--data "config.window_size=60" \
--data "config.window_size=3600"
This example applies rate limiting policies, one of which will trip when 10 hits have been counted in 60 seconds, or the other when 100 hits have been counted in 3600 seconds. For more information, see the Enterprise Rate Limiting Library.
The number of configured window sizes and limits parameters must be equal (as shown above); otherwise, an error occurs:
You must provide the same number of windows and limits
Fallback to IP
When the selected strategy cannot be retrieved, the rate-limiting-advanced
plugin will fall back
to limit using IP as the identifier. This can happen for several reasons, such as the
selected header was not sent by the client or the configured service was not found.
Fallback from Redis
When the redis
strategy is used and a Kong Gateway node is disconnected from Redis, the rate-limiting-advanced
plugin will fall back to local
. This can happen when the Redis server is down or the connection to Redis broken.
Kong Gateway keeps the local counters for rate limiting and syncs with Redis once the connection is re-established.
Kong Gateway will still rate limit, but the Kong Gateway nodes can’t sync the counters. As a result, users will be able
to perform more requests than the limit, but there will still be a limit per node.
Rate limiting for consumer groups
You can use consumer groups to manage custom rate limiting configuration for subsets of consumers. To use consumer groups, you’ll need to configure the following parameters:
config.enforce_consumer_groups
: Set to true.config.consumer_groups
: Provide a list of consumer groups that this plugin allows overrides for.
For guides on working with consumer groups, see the consumer group examples and API reference in the Admin API documentation.
Changelog
Kong Gateway 3.1.x
- Added the ability to customize the error code and message with
the configuration parameters
error_code
anderror_message
.
Kong Gateway 3.0.x
- Kong Gateway now disallows enabling the plugin if the
cluster
strategy is set with DB-less or hybrid mode.
Kong Gateway 2.8.x
-
Added the
redis.username
andredis.sentinel_username
configuration parameters. -
The
redis.username
,redis.password
,redis.sentinel_username
, andredis.sentinel_password
configuration fields are now marked as referenceable, which means they can be securely stored as secrets in a vault. References must follow a specific format.
Kong Gateway 2.7.x
- Added the
enforce_consumer_groups
andconsumer_groups
configuration parameters.
Kong Gateway 2.5.x
- Deprecated the
timeout
field and replaces it with three precise options:connect_timeout
,read_timeout
, andsend_timeout
. - Added
redis.keepalive_pool
,redis.keepalive_pool_size
, andredis.keepalive_backlog
configuration options. ssl_verify
andserver_name
configuration options now support Redis Sentinel-based connections.
Kong Gateway 2.2.x
- Added the
redis.ssl
,redis.ssl_verify
, andredis.server_name
parameters for configuring TLS connections.