Applying multiple rate-limits on a route or a service

I’d like to be able to setup 2 different rate-limit policies on a route/schema to prevent brute-force attack from a single IP address and globally to protect our backend.

Since I couldn’t find a way to setup 2 policies on a service or a route, I decided to try to setup one policy on the route and one policy on the service.
Well… it does not work…

What it does instead, is applying the service policy to any routes attached to this service that have not a specific policy defined. It seems that the limits will not apply globally at all the routes of the service

I’m using Kong 1.5 in dbless mode. here is the conf

    - name: rate-limiting
      service: echoService
        minute: 20
        policy: local
    - name: echoService
      url: <backend url>
      protocol: [http, https]
       - name: echoNoLimit
         paths: [/echo-nolimit]
         methods: [GET]
       - name: echoLocal
         paths: [/echo-local]
         methods: [GET]
         - name: rate-limiting
             minute: 10
             policy: local
             limit_by: ip

Interestingly, I’ve tried to use limit_by: service at the service level following the documentation, but it throws me an error asking for consumer, credentials or ip only
Here is the error message:

error parsing declarative config file /etc/kong/kong.yml:
kong-front_1  | in 'plugins':
kong-front_1  |   - in entry 4 of 'plugins':
kong-front_1  |     in 'config':
kong-front_1  |       in 'limit_by': expected one of: consumer, credential, ip

Any help appreciated


Hi Stephan
I see that nobody found a solution to your issue since february…
I have a similar problem : I would like to set a global rate-limiting to protect my backend and also a consumer quota to avoid that one consumer uses all the bandwith.
The problem is that all adding of consumer’s quota increase the bandwith.
The only solution I see is to create a new rate-limiting plugin (by changing only the name : global-rate-limiting) to allow having 2 real plugin available. I didn’t test it but it’s a track…