rateLimiter

The rateLimiter plugin limits the number of requests of a client in a period of time. As a default the client requests are grouped by client-Ip address and then counted. There are lots of possibilities to group the requests using the keyExpression. The requests can even be counted from different clients together.

When the gateway is located behind a loadbalancer then the client-Ip address is not the one from the client but the address from the balancer. To get the real Ip-address loadbalancers, Web Application Firewalls and reverse proxies set the ip from the original client into the X-Forwarded-For HTTP header field. The limiter plugin can take the Ip-address from the header.

The X-Forwarded-For header can only be trusted when a trustworthy reverse proxy or load balancer is between the client and server. The gateway not should be reachable directly. Only activate this feature when you know what you are doing.



Can be used in:

serviceProxy, api, stompProxy, swaggerProxy, if, registration, wsStompReassembler, interceptor, bean, internalProxy, transport and soapProxy


Attributes

NameRequiredDefaultDescriptionExample
requestLimit false 1000
Number of requests within the period of measurement. -
requestLimitDuration false PT3600S
Duration after the limit is reset in the ISO 8600 Duration format, e.g. PT10S for 10 seconds, PT5M for 5 minutes or PT8H for eight hours. -
trustedProxyCount false 0
Number of trusted proxy servers and loadbalancers. Used to evaluate the X-Forwarded-For header. If both <pre>trustedProxyList</pre> and <pre>trustedProxyCount</pre> is specified, the trustedProxyList is used to determine the client ip address. To make this configuration active set <pre>isTrustForwardedFor</pre> to true. -
keyExpression false ip-address
The expression the ratelimiter should use to group the requests before counting. The Spring Expression Language (SpEL) is used as language. In the expression the build-in variables request, header, properties can be used. -
trustedProxyList false empty String
Comma separated list of trusted proxy servers and loadbalancers. Used to evaluate the X-Forwarded-For header. If both <b>trustedProxyList</b> and <b>trustedProxyCount</b> is specified, the trustedProxyList is used to determine the client ip address. To make this configuration active set <pre>isTrustForwardedFor</pre> to true. -
trustForwardedFor false false
Set this only to true if you know that are you doing. The function of the ratelimter relys on corrent X-ForwaredFor header values. -