Introduction
In the previous articles of this series, we discussed how to build the API Gateway in ASP.NET Core.
And in this article, we will discuss Rate Limiting module of Ocelot.
If you want to look at the previous articles of this series, please visit the links given below.
What is Rate Limiting?
Wikipedia tells us that rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent DoS attacks.
Most APIs are subject to a limit on how many calls can be made per second (or minute, or another short time period), in order to protect servers from being overloaded and maintain the high quality of service to many clients.
Now, let's take a look at how to use Ocelot to accomplish rate limiting.
I will use version 3.1.5 of Ocelot to build a sample.
Preparation
We need to create two projects and ensure that they can run well.
As usual, create two projects at first:
Project Name | Project Type | Description |
APIGateway | ASP.NET Core Empty | This is the entry of this demo. |
APIServices | ASP.NET Core Web API | This is an API Service that provides some services. |
Add a basic configuration.json file to APIGateway project.
- {
- "ReRoutes": [
- {
- "DownstreamPathTemplate": "/api/values",
- "DownstreamScheme": "http",
- "DownstreamHostAndPorts": [
- {
- "Host": "localhost",
- "Port": 9001
- }
- ],
- "UpstreamPathTemplate": "/customers",
- "UpstreamHttpMethod": [ "Get" ]
- },
- {
- "DownstreamPathTemplate": "/api/values/{id}",
- "DownstreamScheme": "http",
- "DownstreamHostAndPorts": [
- {
- "Host": "localhost",
- "Port": 9001
- }
- ],
- "UpstreamPathTemplate": "/customers/{id}",
- "UpstreamHttpMethod": [ "Get" ]
- }
- ],
- "GlobalConfiguration": {
- "RequestIdKey": "OcRequestId",
- "AdministrationPath": "/administration"
- }
- }
Note
Please pay attention to node DownstreamHostAndPorts. In previous versions of Ocelot, this node uses DownstreamHost and DownstreamPort to replace.
Run those two projects and you may get the following result.
It means that our preparation is done. Now, we will add configuration of rate limiting to http://localhost:9000/customers.
Add Rate Limiting In configuration.json
We only need to add a node named RateLimitOptions. The following code shows the basic configuration.
- {
- "DownstreamPathTemplate": "/api/values",
- "DownstreamScheme": "http",
- "DownstreamHostAndPorts": [
- {
- "Host": "localhost",
- "Port": 9001
- }
- ],
- "UpstreamPathTemplate": "/customers",
- "UpstreamHttpMethod": [ "Get" ],
- "RateLimitOptions": {
- "ClientWhitelist": [],
- "EnableRateLimiting": true,
- "Period": "1s",
- "PeriodTimespan": 1,
- "Limit": 1
- }
- }
-
Let's take a look at the RateLimitOptions node.
- ClientWhitelist
This is an array that contains the whitelist of the client. It means that the client in this array will not be affected by the rate limiting.
- EnableRateLimiting
This value specifies enable endpoint rate limiting.
- Period
This value specifies the period, such as 1s, 5m, 1h,1d and so on.
- PeriodTimespan
This value specifies that we can retry after a certain number of seconds.
- Limit
This value specifies the maximum number of requests that a client can make in a defined period.
In the above configuration, we can only visit once per second.
Let's take a look at the result after adding rate limiting:
As you can see, it tells us that API calls quota exceeded! maximum admitted 1 per 1s. when we visit quickly in a second. You also can see the following screenshot.
The response status code is 429(Too Many Requests). And in response headers, it contains Retry-After which means that we should have a retry after 1 second.
Some More Configuration
We have finished the rate limiting in the previous step.
However, you may ask three questions here:
- Can we replace the default prompts?
- Can we remove the response header of rate limiting?
- Can we change the response status code?
The answer to all of those questions is yes.
If we want to change those settings, we need to add some global configuration.
- "GlobalConfiguration": {
- "RequestIdKey": "OcRequestId",
- "AdministrationPath": "/administration",
- "RateLimitOptions": {
- "DisableRateLimitHeaders": false,
- "QuotaExceededMessage": "Customize Tips!",
- "HttpStatusCode": 999
- }
- }
Let's take a look at the RateLimitOptions node in GlobalConfiguration!
- DisableRateLimitHeaders
This value specifies whether X-Rate-Limit and Rety-After headers are disabled.
- QuotaExceededMessage
This value specifies the exceeded message.
- HttpStatusCode
This value specifies the returned HTTP Status code when rate limiting occurs.
After adding those configurations, we can get the results as follows.
Here is the source code you can find on my Github page.
SummaryThis article introduced how to use Rate Limiting module in Ocelot.
Hope this can help you!