-
Notifications
You must be signed in to change notification settings - Fork 4.6k
/
ratelimit.proto
132 lines (112 loc) · 5.09 KB
/
ratelimit.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
syntax = "proto3";
package envoy.extensions.common.ratelimit.v3;
import "envoy/type/v3/ratelimit_unit.proto";
import "envoy/type/v3/token_bucket.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.common.ratelimit.v3";
option java_outer_classname = "RatelimitProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/ratelimit/v3;ratelimitv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Common rate limit components]
// Defines the version of the standard to use for X-RateLimit headers.
enum XRateLimitHeadersRFCVersion {
// X-RateLimit headers disabled.
OFF = 0;
// Use `draft RFC Version 03 <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_ where 3 headers will be added:
//
// * ``X-RateLimit-Limit`` - indicates the request-quota associated to the
// client in the current time-window followed by the description of the
// quota policy. The value is returned by the maximum tokens of the token bucket.
// * ``X-RateLimit-Remaining`` - indicates the remaining requests in the
// current time-window. The value is returned by the remaining tokens in the token bucket.
// * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of
// the current time-window. The value is returned by the remaining fill interval of the token bucket.
DRAFT_VERSION_03 = 1;
}
enum VhRateLimitsOptions {
// Use the virtual host rate limits unless the route has a rate limit policy.
OVERRIDE = 0;
// Use the virtual host rate limits even if the route has a rate limit policy.
INCLUDE = 1;
// Ignore the virtual host rate limits even if the route does not have a rate limit policy.
IGNORE = 2;
}
// A RateLimitDescriptor is a list of hierarchical entries that are used by the service to
// determine the final rate limit key and overall allowed limit. Here are some examples of how
// they might be used for the domain "envoy".
//
// .. code-block:: cpp
//
// ["authenticated": "false"], ["remote_address": "10.0.0.1"]
//
// What it does: Limits all unauthenticated traffic for the IP address 10.0.0.1. The
// configuration supplies a default limit for the *remote_address* key. If there is a desire to
// raise the limit for 10.0.0.1 or block it entirely it can be specified directly in the
// configuration.
//
// .. code-block:: cpp
//
// ["authenticated": "false"], ["path": "/foo/bar"]
//
// What it does: Limits all unauthenticated traffic globally for a specific path (or prefix if
// configured that way in the service).
//
// .. code-block:: cpp
//
// ["authenticated": "false"], ["path": "/foo/bar"], ["remote_address": "10.0.0.1"]
//
// What it does: Limits unauthenticated traffic to a specific path for a specific IP address.
// Like (1) we can raise/block specific IP addresses if we want with an override configuration.
//
// .. code-block:: cpp
//
// ["authenticated": "true"], ["client_id": "foo"]
//
// What it does: Limits all traffic for an authenticated client "foo"
//
// .. code-block:: cpp
//
// ["authenticated": "true"], ["client_id": "foo"], ["path": "/foo/bar"]
//
// What it does: Limits traffic to a specific path for an authenticated client "foo"
//
// The idea behind the API is that (1)/(2)/(3) and (4)/(5) can be sent in 1 request if desired.
// This enables building complex application scenarios with a generic backend.
//
// Optionally the descriptor can contain a limit override under a "limit" key, that specifies
// the number of requests per unit to use instead of the number configured in the
// rate limiting service.
message RateLimitDescriptor {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.ratelimit.RateLimitDescriptor";
message Entry {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.ratelimit.RateLimitDescriptor.Entry";
// Descriptor key.
string key = 1 [(validate.rules).string = {min_len: 1}];
// Descriptor value.
string value = 2 [(validate.rules).string = {min_len: 1}];
}
// Override rate limit to apply to this descriptor instead of the limit
// configured in the rate limit service. See :ref:`rate limit override
// <config_http_filters_rate_limit_rate_limit_override>` for more information.
message RateLimitOverride {
// The number of requests per unit of time.
uint32 requests_per_unit = 1;
// The unit of time.
type.v3.RateLimitUnit unit = 2 [(validate.rules).enum = {defined_only: true}];
}
// Descriptor entries.
repeated Entry entries = 1 [(validate.rules).repeated = {min_items: 1}];
// Optional rate limit override to supply to the ratelimit service.
RateLimitOverride limit = 2;
}
message LocalRateLimitDescriptor {
// Descriptor entries.
repeated v3.RateLimitDescriptor.Entry entries = 1 [(validate.rules).repeated = {min_items: 1}];
// Token Bucket algorithm for local ratelimiting.
type.v3.TokenBucket token_bucket = 2 [(validate.rules).message = {required: true}];
}