Rate Limit

Rate Limiting

Rate limit how many HTTP requests a developer can make in a given period of seconds, minutes, hours, days, months or years.

Configuration

The plain rate limit config:

"rate_limit": {
    "enabled": true,
    "config": {
        "limit": "10-S",
        "policy": "local",
        "trust_forward_headers": false
    }
}

Configuration	Description
limit	Defines the limit rule for the proxy. i.e. 5 reqs/second: 5-S, 10 reqs/minute: 10-M, 1000 reqs/hour: 1000-H
policy	The rate-limiting policies to use for retrieving and incrementing the limits. Available values are local (counters will be stored locally in-memory on the node) and redis (counters are stored on a Redis server and will be shared across the nodes).
redis.dsn	The DSN for the redis instance/cluster to be used
redis.prefix	A prefix to be used on redis keys. It defaults to limiter
trust_forward_headers	If set to True, X-Forwarded-For and X-Real-IP headers will be used instead of the source ip. Defaults to False.

Headers sent to the client

When this plugin is enabled, Janus will send some additional headers back to the client telling how many requests are available and what are the limits allowed, for example:

X-Ratelimit-Limit: 10
X-Ratelimit-Remaining: 9
X-Ratelimit-Reset: 1491383478

If any of the limits configured is being reached, the plugin will return a HTTP/1.1 429 status code to the client with the following plain text body:

Limit exceeded

Implementation considerations

The plugin supports 3 policies, which each have their specific pros and cons.

Policy	Pros	Cons
redis	accurate, lesser performance impact than a cluster policy	extra redis installation required, bigger performance impact than a local policy
local	minimal performance impact	less accurate, and unless a consistent-hashing load balancer is used in front of Janus, it diverges when scaling the number of nodes

There are 2 use cases that are most common:

1. every transaction counts.

These are for example transactions with financial consequences. Here the highest level of accuracy is required.

2. backend protection.

This is where accuracy is not as relevant, but it is merely used to protect backend services from overload. Either by specific users, or to protect against an attack in general.

NOTE: the redis policy does not support the Sentinel protocol for high available master-slave architectures. When using rate-limiting for general protection the chances of both redis being down and the system being under attack are rather small. Check with your own use case wether you can handle this (small) risk.