
Rate Limiting Advanced
Configuration
Hide Child Parameters
Similar to identifer
, but supports combining multiple items. The priority of compound_identifier
is higher than identifier
, which means if compound_identifer
is set, it will be used, otherwise identifier
will be used.
Allowed values:consumerconsumer-groupcredentialheaderippathservice
The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is config.strategy
is cluster
or redis
and config.sync_rate
isn’t -1
), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.
Default:kong_rate_limiting_counters
Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping enforce_consumer_groups
from true
to false
disables the group override, but does not clear the list of consumer groups. You can then flip enforce_consumer_groups
to true
to re-enforce the groups.
Default:false
The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be ip
, credential
, consumer
, service
, header
, path
or consumer-group
. Note if identifier
is consumer-group
, the plugin must be applied on a consumer group entity. Because a consumer may belong to multiple consumer groups, the plugin needs to know explicitly which consumer group to limit the rate.
Allowed values:consumerconsumer-groupcredentialheaderippathservice
Default:consumer
The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. strategy
, redis
, sync_rate
, dictionary_name
, need to be the same.
Hide Child Parameters
Cluster addresses to use for Redis connections when the redis
strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
>= 1 characters
Hide Child Parameters
Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil
. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size
. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size
.
>= 0<= 2147483646
The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size
nor keepalive_backlog
is specified, no pool is created. If keepalive_pool_size
isn’t specified but keepalive_backlog
is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
Default:256
>= 1<= 2147483646
Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
This field is encrypted.
This field is referenceable.
Sentinel node addresses to use for Redis connections when the redis
strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
>= 1 characters
Hide Child Parameters
Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
This field is encrypted.
This field is referenceable.
Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won’t be performed. This requires Redis v6.2.0+.
This field is referenceable.
If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate
in kong.conf
to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth
accordingly.
Default:false
Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default
.
This field is referenceable.
The upper bound of a jitter (random delay) in seconds to be added to the Retry-After
header of denied requests (status = 429
) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is 0
; in this case, the Retry-After
header is equal to the RateLimit-Reset
header.
Default:0
How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).
Sets the time window type to either sliding
(default) or fixed
. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window’s counters.
Allowed values:fixedsliding
Default:sliding
If set, the plugin will activate only for requests where the specified has been authenticated. (Note that some plugins can not be restricted to consumers this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer.
If set, the plugin will activate only for requests where the specified consumer group has been authenticated. (Note that some plugins can not be restricted to consumers groups this way.). Leave unset for the plugin to activate regardless of the authenticated Consumer Groups
If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.