Rate Limiting Plugin


#1

Rate limit how many HTTP requests a developer can make in a given period of seconds, minutes, hours, days, months or years. If the API has no authentication layer, the Client IP address will be used, otherwise the Consumer will be used if an authentication plugin has been configured. Give it a try and discuss it here!

Rate Limiting plugin documentation


#2

Question: We would like to limit the number of messages per week
Is it possible (simple)? Can you please indicate how it is done?
Many thanks


#3

I just set up rate limiting with “config.limit_by=ip”, and tried to make API requests from different machines (with different IP address), but the counting includes the requests from different machines, and the X-RateLimit-Remaining-minute value drops for each request from different machines. So it seems to me it’s not really limiting by IP. Is anyone has similar test before, and how’s the outcome? Is my understanding correct?


#4

Hi,

Could you maybe describe your setup furthermore so we can help you? There simply isn’t enough information in your message for us to draw any sort of conclusion.

Also, you may want to check this post:

In particular, the following part:

Beware, for existing plugins already access this value like so, such as the rate-limiting plugin. This means, if Kong/ngx_http_realip_module is badly configured, this plugin will rate-limit based on a previous load-balancer’s IP address, instead of each individual client’s IP address, leading to a drastically different behavior than expected!

Your issue could be related. Or it could be something else entirely but for us to figure it out, we’d need more information.


#5

Thanks thibaultcha.
Yep, it’s because of a proxy (in vagrant) before kong, that set X-Forwarded-For.


#6

Hi,

Is there a way to get the limits for a consumer and the remaining number of requests allowed?
Thank you.


#7

Hi,

Special headers are sent to the upstream by the plugin with the limits.
Check Header Sent to the client at https://getkong.org/plugins/rate-limiting/


#8

@solosebi17d remaining changes as time goes on with rate limiting. If no requests it grows to max, if requests it goes to zero (if not grown faster). Limits for consumer can be specified by applying rate-limiting plugin to particular consumer.


#9

Hi,

Could I know if we can eliminate X-RateLimit-Limit-* and X-RateLimit-Remaining-* headers responding to the clients?

And when setting up key-auth for different consumers, is there any way I can get the the key values from our DB (mysql)? With SQL statements? Or I need to write a script to automate it? Thanks!


#10

Could I know if we can eliminate X-RateLimit-Limit-* and X-RateLimit-Remaining-* headers responding to the clients?

Yep - you’ll find that option in the documentation - look at config.hide_client_headers

And when setting up key-auth for different consumers, is there any way I can get the the key values from our DB (mysql)? With SQL statements? Or I need to write a script to automate it? Thanks!

Please open a new discussion for that question, thanks!


#11

Hi Henry,

As u asked the following query on the form:

I just set up rate limiting with “config.limit_by=ip”, and tried to make API requests from different machines (with different IP address), but the counting includes the requests from different machines, and the X-RateLimit-Remaining-minute value drops for each request from different machines. So it seems to me it’s not really limiting by IP.

Would you be able to restrict the client IP (machine) to make API requests ?