I’m using rate-limiting plugin and limiting by credential (which is determined by api key, key-auth plugin is active). That’s working fine. Now, I noticed that even error responses like 400, 502 etc are getting counted towards the quota I’ve set; not just the 200 success ones. What should I do to make the rate limit plugin enforce only for success responses? I don’t want a wasted api call getting counted towards the quota.
I’m on Kong gateway dockerized 3.3.0, the free / community one.
I have not seen anything in the rate limiting plugin to modify the quota against a particular status code yet.
Even if we can achieve a functionality like this using something like a custom plugin, this will leave our API vulnerable to DDoS attacks since we are allowing practically unlimited requests for invalid requests.
Besides status codes such as 4xx are API user level errors something clients should be wary of, while 5xx are internal API errors which should not occur or should be fixed immediately.
Thanks a lot for your inputs. I agree with the opinion that it’s not practical to do rate limiting based on response.
If we do go to implement this, I reckon I’ll need one wider rate limit in Kong; and then in the application backend will have to put limits on number of successes in a day etc as per business logic.