Detailed description of the problem
I've followed numerous tutorials about how to implement a "sliding window" rate limit but I can't seem to make any of them work.
I'm trying to limit users of an API to "X requests per second" over a sliding window of time, I don't care how many times they call the API, so long as they don't go over X requests per second. However, I can only seem to get it to work over some max number of calls, regardless of the rate at which they make the calls.
I've tried a few configs, Example:
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request content track-sc1 src
acl is_rate_abuse src_http_req_rate gt 200
http-request deny deny_status 429 if is_rate_abuse
With this config, if I ran requests at 1 RPS, as soon as it hit 200 it throws a 429, even if those 200 requests took 200 seconds...
Using Locust, I set it to run 1 user, sending a request every 1 second. As soon as it hit 200 total requests, it started failing. This, to me, makes no sense given that this is suppose to be the request rate over 10 seconds, not over the life of address in the stick-table?
And here's me doing it with 5 "users" at 1 RPS (so 5 RPC total)
I will fully admit that the above code may be incorrect, however, I've tried every single example I could find online to make this work. Some of them are vastly different configs but they all come down to the same basic principle of tracking http_req_rate() and src_http_req_rate and nothing I've done has made it so that X/req/sec works. As soon as I hit the number defined in src_http_req_rate it starts sending 429s.
Expected behavior
The http_req_rate should be the rate over a 10 second window, and the src_http_req_rate should be the request rate over that same window?
Steps to reproduce the behavior
- Run HAProxy with a sliding window rate limiter
- Test that rate limiter?
- Profit
Do you have any idea what may have caused this?
No
Do you have an idea how to solve the issue?
No
What is your configuration?
frontend http-in
bind *:80
# Rate Limit
stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
tcp-request content track-sc1 src
acl is_rate_abuse src_http_req_rate gt 200
http-request deny deny_status 429 if is_rate_abuse
Output of haproxy -vv and uname -a
I'm running this in Docker but it's
haproxy version is 2.2.11-1
If HAProxy crashed: Last outputs and backtraces
Additional information (if helpful)
Detailed description of the problem
I've followed numerous tutorials about how to implement a "sliding window" rate limit but I can't seem to make any of them work.
I'm trying to limit users of an API to "X requests per second" over a sliding window of time, I don't care how many times they call the API, so long as they don't go over X requests per second. However, I can only seem to get it to work over some max number of calls, regardless of the rate at which they make the calls.
I've tried a few configs, Example:
With this config, if I ran requests at 1 RPS, as soon as it hit 200 it throws a 429, even if those 200 requests took 200 seconds...
Using Locust, I set it to run 1 user, sending a request every 1 second. As soon as it hit 200 total requests, it started failing. This, to me, makes no sense given that this is suppose to be the request rate over 10 seconds, not over the life of address in the stick-table?
And here's me doing it with 5 "users" at 1 RPS (so 5 RPC total)
I will fully admit that the above code may be incorrect, however, I've tried every single example I could find online to make this work. Some of them are vastly different configs but they all come down to the same basic principle of tracking
http_req_rate()andsrc_http_req_rateand nothing I've done has made it so that X/req/sec works. As soon as I hit the number defined insrc_http_req_rateit starts sending 429s.Expected behavior
The http_req_rate should be the rate over a 10 second window, and the src_http_req_rate should be the request rate over that same window?
Steps to reproduce the behavior
Do you have any idea what may have caused this?
No
Do you have an idea how to solve the issue?
No
What is your configuration?
Output of
haproxy -vvanduname -aI'm running this in Docker but it's
If HAProxy crashed: Last outputs and backtraces
Additional information (if helpful)