Rate Limiting Policy Files
Configure rate limiting with a policy file.
The policy file consists of four key portions.
The first portion is matching criteria. If a request matches the criteria the rest of the policy is applied. The two parts of matching criteria are HTTP method and the request URL. The URL pattern supports wild cards. The HTTP method is a list of methods to match on, or the value of "*" to indicate that all HTTP methods must match. A single rate limiting policy can contain multiple matching criteria. For example, multiple URLs and methods. Each matching criteria will correspond to a single rate limiting bucket. In other words, the access rate for each matching criteria is treated separately.
All matching on URL and method is case insensitive.
resources:
- url: /pkmslogin.form
method:
- POST
method: POST If you want to match this configuration to every request the following
can be specified:
resources:
- url: "*"
method: "*"
resources:
- url: "*"
method:
- GET
- POST
resources:
- url: "/jct_a"
method: "*"
Once a request is matched, the configured values of cookies, headers, query string parameters, client IP, and credential attributes are included.
These criteria support wild cards for the value. When a match occurs the matched value is used to identify the request not the pattern. All matching is case insensitive.
When these values are matched and the request does not contain a specified header, cookie, query string parameter, or credential attribute, the request is not rate limited.
header:
Authorization: "Basic *"
header:
Authorization: "Bearer *"
PD-S-SESSION-ID
cookie:
cookie:
PD-S-SESSION-ID: "*"
query:
resource: 123
query:
resource: "*"
credential:
AZN_CRED_PRINCIPAL_NAME: "*"
credential:
oauth_token_client_id: "*"
ip: true
The matching information identified from the request, such as URL, Method, IP, cookies, headers, and query parameters are then built into a consistent lookup key.
A counter is kept for this value. This counter has two properties, the maximum value and how often the count is set down to zero. These values are controlled by two configuration properties; a capacity which indicates the number of requests that are allowed until rate limiting occurs and an interval which is the number of seconds that must pass until the capacity is reset.
capacity: 100
interval: 60
The length of time that matching requests are locked out, after the capacity is exceeded, can be set by using the lockout-time configuration entry. If the lockout-time configuration entry is not specified the capacity is not reset until the current interval has elapsed.
capacity: 100
interval: 60
lockout-time: 30
- CLOSE
- Closes the connection without any information written to the client.
- TEMPLATE
- Writing back the rate limiting template with the status code 429.
- IGNORE
- No action is taken, except the logging of the reaction if logging has been enabled.
- Specify URL
- A URL can be specified. This URL rewrites the request URL to the defined value. This is used to route a rate limited request to a dummy resource. This allows the concept of hosting a dummy resource which appears to produce the same functionality as the actual resource, only never actually making any change. The intent of this is to mislead a malicious client into thinking they are performing numerous operations while actually not having any negative impact. This can also be used to log a user out. For example, you can direct them to /pkmslogout to terminate their session.
reaction: CLOSE
reaction: TEMPLATE
reaction: /dummy-login
#
character.
Here is a full and commented policy file for rate limiting bearer token usage per client IP to 10
times / second:
resources:
- url: "*"
method:
- "*"
# Limit based on the authorization header, with a leading "Bearer " prefix:
header:
Authorization: "Bearer *"
# Tokens can be used 10 times in a second. If this number is exceeded
# matching requests will be locked out for 5 seconds.
capacity: 10
interval: 1
lockout-time: 5
# Include the IP of the client
ip: true
# Return the template if a client is rate-limited.
reaction: TEMPLATE