The rateLimiter plugin limits the number of requests of a client in a period of time. As a default the client requests are grouped by client-Ip address and then counted. There are lots of possibilities to group the requests using the keyExpression. The requests can even be counted from different clients together.
When the gateway is located behind a loadbalancer then the client-Ip address is not the one from the client but the address from the balancer. To get the real Ip-address loadbalancers, Web Application Firewalls and reverse proxies set the ip from the original client into the X-Forwarded-For HTTP header field. The limiter plugin can take the Ip-address from the header.
The X-Forwarded-For header can only be trusted when a trustworthy reverse proxy or load balancer is between the client and server. The gateway not should be reachable directly. Only activate this feature when you know what you are doing.
Name | Required | Default | Description | Example |
---|---|---|---|---|
requestLimit | false | 1000 |
Number of requests within the period of measurement. | - |
requestLimitDuration | false | PT3600S |
Duration after the limit is reset in the ISO 8600 Duration format, e.g. PT10S for 10 seconds, PT5M for 5 minutes or PT8H for eight hours. | - |
trustedProxyCount | false | 0 |
Number of trusted proxy servers and loadbalancers. Used to evaluate the X-Forwarded-For header. If both <pre>trustedProxyList</pre> and <pre>trustedProxyCount</pre> is specified, the trustedProxyList is used to determine the client ip address. To make this configuration active set <pre>isTrustForwardedFor</pre> to true. | - |
keyExpression | false | ip-address |
The expression the ratelimiter should use to group the requests before counting. The Spring Expression Language (SpEL) is used as language. In the expression the build-in variables request, header, properties can be used. | - |
trustedProxyList | false | empty String |
Comma separated list of trusted proxy servers and loadbalancers. Used to evaluate the X-Forwarded-For header. If both <b>trustedProxyList</b> and <b>trustedProxyCount</b> is specified, the trustedProxyList is used to determine the client ip address. To make this configuration active set <pre>isTrustForwardedFor</pre> to true. | - |
trustForwardedFor | false | false |
Set this only to true if you know that are you doing. The function of the ratelimter relys on corrent X-ForwaredFor header values. | - |