Skip to content

Commit

Permalink
limitCountRedis: add option to disable x-envoy-ratelimited (#835)
Browse files Browse the repository at this point in the history
* feat: use enable_limit_quota_headers as ratelimited option

* feat: add disable_x_envoy_ratelimited_header option

* feat: update doc

* feat: lint-markdown
  • Loading branch information
yizhibian authored Jan 16, 2025
1 parent 085cce2 commit b99be34
Show file tree
Hide file tree
Showing 7 changed files with 66 additions and 41 deletions.
4 changes: 4 additions & 0 deletions plugins/plugins/limitcountredis/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ func TestConfig(t *testing.T) {
name: "pass",
input: `{"address":"127.0.0.1:6479", "rules":[{"count":1,"timeWindow":"1s"}], "prefix":"test"}`,
},
{
name: "disable x-envoy-ratelimited header",
input: `{"address":"127.0.0.1:6479", "rules":[{"count":1,"timeWindow":"1s"}], "prefix":"test", "disable_x_envoy_ratelimited_header": true}`,
},
}

for _, tt := range tests {
Expand Down
5 changes: 3 additions & 2 deletions plugins/plugins/limitcountredis/filter.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,9 @@ func (f *filter) DecodeHeaders(headers api.RequestHeaderMap, endStream bool) api
remain := ress[2*i].(int64)
if remain < 0 {
hdr := http.Header{}
// TODO: add option to disable x-envoy-ratelimited
hdr.Set("x-envoy-ratelimited", "true")
if !config.DisableXEnvoyRatelimitedHeader {
hdr.Set("x-envoy-ratelimited", "true")
}
status := 429
if config.RateLimitedStatus >= 400 { // follow the behavior of Envoy
status = int(config.RateLimitedStatus)
Expand Down
34 changes: 18 additions & 16 deletions site/content/en/docs/reference/plugins/limit_count_redis.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,24 @@ The `limitCountRedis` plugin implements a global fixed window rate-limiting by s

## Configuration

| Name | Type | Required | Validation | Description |
|-------------------------|-------------------------------------|----------|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| address | string | False | | Redis address. Only one of `address` and `cluster` can be configured. |
| cluster | Cluster | False | | Redis cluster configuration. Only one of `address` and `cluster` can be configured. |
| prefix | string | True | min_len: 1, max_len: 128 | The prefix will be used as the prefix of Redis key. This field is introduced so that the recreation of the route won't reset the counter as the new limiter will use the same key as the previous one. Normally, put a random string in it is enough. To share the limit counters across multiple routes, we can use the same prefix. In this case, ensure the configurations of `limitCountRedis` plugin in these routes are the same. |
| rules | Rule | True | min_items: 1, max_items: 8 | Rules |
| failureModeDeny | boolean | False | | By default, if access to Redis fails, the request is allowed through. When true, it denies the request. |
| enableLimitQuotaHeaders | boolean | False | | Whether to set response headers related to rate-limiting quotas |
| username | string | False | | Username for accessing Redis |
| password | string | False | | Password for accessing Redis |
| tls | boolean | False | | Whether to access Redis over TLS |
| tlsSkipVerify | boolean | False | | Whether to skip verification when accessing Redis over TLS |
| statusOnError | [StatusCode](../type.md#statuscode) | False | | The status code used to deny requests when Redis is inaccessible and `failureModeDeny` is true. Defaults to 500. |
| rateLimitedStatus | [StatusCode](../type.md#statuscode) | False | | The status code for responses denied due to rate-limiting. Defaults to 429. This setting only takes effect when it's 400 or above. |

Each rule's count is independent. Rate-limiting action is triggered once any rule's quota is exhausted. Responses that are denied due to rate-limiting will include the header `x-envoy-ratelimited: true`. If `enableLimitQuotaHeaders` is set to `true` and accessing to redis succeed, all responses will include the following three headers:
| Name | Type | Required | Validation | Description |
|--------------------------------|-------------------------------------|----------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| address | string | False | | Redis address. Only one of `address` and `cluster` can be configured. |
| cluster | Cluster | False | | Redis cluster configuration. Only one of `address` and `cluster` can be configured. |
| prefix | string | True | min_len: 1, max_len: 128 | The prefix will be used as the prefix of Redis key. This field is introduced so that the recreation of the route won't reset the counter as the new limiter will use the same key as the previous one. Normally, put a random string in it is enough. To share the limit counters across multiple routes, we can use the same prefix. In this case, ensure the configurations of `limitCountRedis` plugin in these routes are the same. |
| rules | Rule | True | min_items: 1, max_items: 8 | Rules |
| failureModeDeny | boolean | False | | By default, if access to Redis fails, the request is allowed through. When true, it denies the request. |
| enableLimitQuotaHeaders | boolean | False | | Whether to set response headers related to rate-limiting quotas |
| username | string | False | | Username for accessing Redis |
| password | string | False | | Password for accessing Redis |
| tls | boolean | False | | Whether to access Redis over TLS |
| tlsSkipVerify | boolean | False | | Whether to skip verification when accessing Redis over TLS |
| statusOnError | [StatusCode](../type.md#statuscode) | False | | The status code used to deny requests when Redis is inaccessible and `failureModeDeny` is true. Defaults to 500. |
| rateLimitedStatus | [StatusCode](../type.md#statuscode) | False | | The status code for responses denied due to rate-limiting. Defaults to 429. This setting only takes effect when it's 400 or above. |
| disableXEnvoyRatelimitedHeader | bool | False | | Whether to disable the `x-envoy-ratelimited` response header when rate limiting is triggered |


Each rule's count is independent. Rate-limiting action is triggered once any rule's quota is exhausted. Responses that are denied due to rate-limiting will include the header `x-envoy-ratelimited: true`(which can be disabled by config). If `enableLimitQuotaHeaders` is set to `true` and accessing to redis succeed, all responses will include the following three headers:

* `x-ratelimit-limit`: Represents the applied rate-limiting rule. The format is "the rule with the least remaining quota, (rule quota;w=time window){one or more rules}", e.g., `2, 2;w=60`.
* `x-ratelimit-remaining`: Represents the remaining quota of the rule with the least remaining quota, with a minimum value of `0`.
Expand Down
Loading

0 comments on commit b99be34

Please sign in to comment.