kayx23 commented on code in PR #1810: URL: https://github.com/apache/apisix-website/pull/1810#discussion_r1693920008
########## blog/en/blog/2024/07/25/different-rate-limits-apisix.md: ########## @@ -0,0 +1,259 @@ +--- +title: Advanced URL rewriting with Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - APISIX + - Rate Limiting + - Consumer + - Consumer Groups +description: > + In my talk Evolving your APIs, I mention that an API Gateways is a Reverse Proxy "on steroids". One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. +tags: [Ecosystem] +image: https://static.apiseven.com/uploads/2024/07/27/U4BZicm8_speedometer-1249610.jpg +--- + +<head> + <link rel="canonical" href="https://blog.frankel.ch/different-rate-limits-apisix/"; /> +</head> + +>In my talk Evolving your APIs, I mention that an API Gateways is a Reverse Proxy "on steroids". One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. + +<!--truncate--> + +Rate-limiting is an age-old Reverse Proxy feature focused on protecting against <abbr title="Distributed Denial of Service">DDoS</abbr> attacks. It treats all clients the same and is purely technical. In this day and age, most API providers offer different subscription tiers; the higher the tier, the higher the rate limit, and the more you pay incidentally. It's not technical anymore and requires to differentiate between clients. + +In this post, I want to detail how to do it with Apache APISIX. Note I take most of the material from the [workshop](https://nfrankel.github.io/apisix-workshop/). + +## Rate-limiting for the masses + +Apache APISIX offers no less than three plugins to rate limit requests: + +* [limit conn](https://apisix.apache.org/docs/apisix/plugins/limit-conn/): limits the number of concurrent requests +* [limit req](https://https://apisix.apache.org/docs/apisix/plugins/limit-req/): limits the number of requests based on the [Leaky Bucket](https://en.wikipedia.org/wiki/Leaky_bucket) algorithm +* [limit count](https://https://apisix.apache.org/docs/apisix/plugins/limit-count/): limits the number of requests based on a fixed time window + +The `limit-count` plugin is a good candidate for this post. + +Let's configure the plugin for a route: + +```yaml +routes: + - uri: /get + upstream: + nodes: + "http://httpbin.org:80": 1 + plugins: + limit-count: #1 + count: 1 #2 + time_window: 60 #2 + rejected_code: 429 #3 +#END +``` + +1. Set the `limit-count` plugin +2. Limit requests to one every 60 seconds +3. Override the default HTTP response code, _i.e._, `503` + +At this point, we configured regular rate limiting. + +```bash +curl -v http://localhost:9080/get +curl -v http://localhost:9080/get +``` + +If we execute the second request before a minute has passed, the result is the following: + +```http +HTTP/1.1 429 Too Many Requests +Date: Tue, 09 Jul 2024 06:55:07 GMT +Content-Type: text/html; charset=utf-8 +Content-Length: 241 +Connection: keep-alive +X-RateLimit-Limit: 1 #1 +X-RateLimit-Remaining: 0 #2 +X-RateLimit-Reset: 59 #3 +Server: APISIX/3.9.1 + +<html> +<head><title>429 Too Many Requests</title></head> +<body> +<center><h1>429 Too Many Requests</h1></center> +<hr><center>openresty</center> +<p><em>Powered by <a href="https://apisix.apache.org/";>APISIX</a>.</em></p></body> +</html> +``` + +1. Configured limit +2. Remaining quota +3. Waiting time in seconds before quota replenishment + +## Per-consumer rate limiting + +To configure per-consumer rate limiting, we first need to implement request authentication. APISIX offers many authentication plugins; we shall use the simplest one, [key-auth](https://apisix.apache.org/docs/apisix/plugins/key-auth/). `key-auth` checks a specific HTTP request header - `apikey` by default. Review Comment: ```suggestion To configure per-consumer rate limiting, we first need to implement request authentication. APISIX offers many authentication plugins; we shall use the simplest one, [`key-auth`](https://apisix.apache.org/docs/apisix/plugins/key-auth/). `key-auth` checks a specific HTTP request header - `apikey` by default. ``` ########## blog/en/blog/2024/07/25/different-rate-limits-apisix.md: ########## @@ -0,0 +1,259 @@ +--- +title: Advanced URL rewriting with Apache APISIX +authors: + - name: Nicolas Fränkel + title: Author + url: https://github.com/nfrankel + image_url: https://avatars.githubusercontent.com/u/752258 +keywords: + - APISIX + - Rate Limiting + - Consumer + - Consumer Groups +description: > + In my talk Evolving your APIs, I mention that an API Gateways is a Reverse Proxy "on steroids". One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. +tags: [Ecosystem] +image: https://static.apiseven.com/uploads/2024/07/27/U4BZicm8_speedometer-1249610.jpg +--- + +<head> + <link rel="canonical" href="https://blog.frankel.ch/different-rate-limits-apisix/"; /> +</head> + +>In my talk Evolving your APIs, I mention that an API Gateways is a Reverse Proxy "on steroids". One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. Review Comment: ```suggestion >In my talk Evolving your APIs, I mention that an API Gateway is a Reverse Proxy "on steroids". One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
