Add a current limiting plug-in for the kong gateway

Throttle is used to control the rate of requests sent to upstream services. It can be used to prevent DoS attacks, limit web scraping, and other forms of overuse. Without rate limiting, clients have unlimited access to your upstream services, which can negatively impact availability.

1. Global current limiting

1. Enable current limiting

[root@min ~]# curl -i -X POST http://localhost:8001/plugins \
>   --data name=rate-limiting \
>   --data config.second=5 \
>   --data config.policy=local
HTTP/1.1 201 Created
Date: Tue, 30 May 2023 15:08:12 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: http://localhost:8002
X-Kong-Admin-Request-ID: OA4KbAYVZzjlJliahJnwao89qZ3piJKj
vary: Origin
Access-Control-Allow-Credentials: true
Content-Length: 719
X-Kong-Admin-Latency: 9
Server: kong/3.3.0.0-enterprise-edition

{"created_at":1685459292,"consumer":null,"protocols":["grpc","grpcs","http","https"],"updated_at":1685459292,"ordering":null,"enabled":true,"instance_name":null,"id":"8503da12-0bd2-41fd-9db3-05e43d6dc74a","service":null,"name":"rate-limiting","tags":null,"config":{"redis_port":6379,"redis_username":null,"redis_password":null,"limit_by":"consumer","error_message":"API rate limit exceeded","policy":"local","redis_server_name":null,"path":null,"day":null,"redis_timeout":2000,"year":null,"header_name":null,"hide_client_headers":false,"redis_ssl_verify":false,"second":5,"redis_database":0,"fault_tolerant":true,"month":null,"error_code":429,"redis_ssl":false,"minute":null,"hour":null,"redis_host":null},"route":null}

2. Test current limit

Here, postman is used to send 10 requests within 1 second, and it is expected that five requests should pass.

2.1, add to the requested interface only when the status code of the response is 200, the test passes

2.2. Start the batch test


Click run kong

to confirm that the current limiting plug-in has worked

2. Service level current limiting

[root@min ~]# curl -X POST http://localhost:8001/services/first_service/plugins \
>    --data "name=rate-limiting" \
>    --data config.second=10 \
>    --data config.policy=local
{
    
    "created_at":1685460463,"consumer":null,"protocols":["grpc","grpcs","http","https"],"updated_at":1685460463,"ordering":null,"enabled":true,"instance_name":null,"id":"d8f25f95-f61d-4666-b931-1a47c6158fde","service":{
    
    "id":"3aa00d3a-1f82-489a-bbe5-412c5e83c7c8"},"name":"rate-limiting","tags":null,"config":{
    
    "redis_port":6379,"redis_username":null,"redis_password":null,"limit_by":"consumer","error_message":"API rate limit exceeded","policy":"local","redis_server_name":null,"path":null,"day":null,"redis_timeout":2000,"year":null,"header_name":null,"hide_client_headers":false,"redis_ssl_verify":false,"second":10,"redis_database":0,"fault_tolerant":true,"month":null,"error_code":429,"redis_ssl":false,"minute":null,"hour":null,"redis_host":null},"route":null}

Currently we have two throttling configurations, a global 5 requests per second and a service-level 10 requests per second.
The service level will take precedence over the flow control at the global level, that is, when it exists at the same time, the flow limit at the service level shall prevail

3. Flow control restrictions at the route level

[root@min ~]# curl -X POST http://localhost:8001/routes/first_route/plugins \
>    --data "name=rate-limiting" \
>    --data config.second=6 \
>    --data config.policy=local
{
    
    "created_at":1685461056,"consumer":null,"protocols":["grpc","grpcs","http","https"],"updated_at":1685461056,"ordering":null,"enabled":true,"instance_name":null,"id":"140831ea-a15f-431a-9aad-f3ea5ad16532","service":null,"name":"rate-limiting","tags":null,"config":{
    
    "redis_port":6379,"redis_username":null,"redis_password":null,"limit_by":"consumer","error_message":"API rate limit exceeded","policy":"local","redis_server_name":null,"path":null,"day":null,"redis_timeout":2000,"year":null,"header_name":null,"hide_client_headers":false,"redis_ssl_verify":false,"second":6,"redis_database":0,"fault_tolerant":true,"month":null,"error_code":429,"redis_ssl":false,"minute":null,"hour":null,"redis_host":null},"route":{
    
    "id":"3ef2a679-ba90-482d-96ff-2ca92dbce8f4"}}

At this time, we have three flow control configurations on kong, the distribution is 5/s globally, the service level: 10/s, and the route level: 6/s. 11 requests are initiated within one second, and the response results are as follows:

From here we can see that when the above three configurations exist, the route configuration will prevail

4. User-level flow control restrictions

4.1. Create a new user

[root@min ~]# curl -X POST http://localhost:8001/consumers/ \
>   --data username=jsmith
{
    
    "created_at":1685461425,"custom_id":null,"username":"jsmith","tags":null,"type":0,"id":"df540cb1-f3ce-4d67-b30f-2a3b3e2e5598","username_lower":"jsmith","updated_at":1685461425}

4.2. Assign a key to user jsmith

[root@min ~]# curl -i -X POST http://localhost:8001/consumers/jsmith/key-auth
HTTP/1.1 201 Created
Date: Tue, 30 May 2023 15:45:20 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: http://localhost:8002
X-Kong-Admin-Request-ID: HrG3mXhgQ0J4bXW4MnsfLLCn3KcHkWJt
vary: Origin
Access-Control-Allow-Credentials: true
Content-Length: 190
X-Kong-Admin-Latency: 9
Server: kong/3.3.0.0-enterprise-edition

{
    
    "created_at":1685461520,"id":"bcde542a-799c-4c1b-ac03-e3ad87cfe436","ttl":null,"tags":null,"key":"ErjixFQiI2cRLifn4ZhRkXP7AHVyAlaE","consumer":{
    
    "id":"df540cb1-f3ce-4d67-b30f-2a3b3e2e5598"}}

4.3. Add user current limit

[root@min ~]# curl -X POST http://localhost:8001/plugins \
>    --data "name=rate-limiting" \
>    --data "consumer.username=jsmith" \
>    --data "config.second=7"
{
    
    "created_at":1685461850,"consumer":{
    
    "id":"df540cb1-f3ce-4d67-b30f-2a3b3e2e5598"},"protocols":["grpc","grpcs","http","https"],"updated_at":1685461850,"ordering":null,"enabled":true,"instance_name":null,"id":"ccc8284e-a511-4a7a-a37b-9c9930d1fb6c","service":null,"name":"rate-limiting","tags":null,"config":{
    
    "redis_port":6379,"redis_username":null,"redis_password":null,"limit_by":"consumer","error_message":"API rate limit exceeded","policy":"local","redis_server_name":null,"path":null,"day":null,"redis_timeout":2000,"year":null,"header_name":null,"hide_client_headers":false,"redis_ssl_verify":false,"second":7,"redis_database":0,"fault_tolerant":true,"month":null,"error_code":429,"redis_ssl":false,"minute":null,"hour":null,"redis_host":null},"route":null}

At present, there are four current limiting configurations here, global, service, route, and customer level, and the priority is increased in order. However, when you need to pay attention here, you must enable an auth plug-in when enabling user-level current limiting, so that you can know Which user is currently calling. Otherwise, it will not take effect.

At this time, we have four flow control configurations on kong, the distribution is 5/s globally, service level: 10/s, route level: 6/s, customer level: 7/s within one
second Initiate 11 requests, and the response results are as follows:

If we close the key-auth plug-in, then we will find that the customer-level current limit will no longer work.

Use 11 requests to test again, and find that the currently effective current limiting configuration is at the route level!