Local Ratelimit
Rate limiting is used to control the rate of requests sent or received by a network interface controller, which is helpful to prevent DoS attacks and limit web scraping.
Envoy supports both local (non-distributed) and global rate limiting, and two types for local rate limiting:
L4 connections via the local rate limit filter
HTTP requests via the HTTP local rate limit filter
This sandbox provides an example of rate limiting of L4 connections.
Step 1: Start all of our containers
Change to the examples/local_ratelimit
directory and bring up the docker composition.
$ pwd
envoy/examples/ratelimit
$ docker compose pull
$ docker compose up --build -d
$ docker compose ps
Name Command State Ports
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ratelimtit_envoy-stat_1 /docker-entrypoint.sh /usr ... Up 0.0.0.0:10000->10000/tcp,:::10000->10000/tcp, 0.0.0.0:9901->9901/tcp,:::9901->9901/tcp, 0.0.0.0:9902->9902/tcp,:::9902->9902/tcp
ratelimtit_service_1 /docker-entrypoint.sh ngin ... Up 80/tcp
Step 2: Test rate limiting of upstream service
The sandbox is configured with 10000
port for upstream service.
If a request reaches the rate limit, Envoy will add x-local-rate-limit
header and refuse the connection with a 429 HTTP response code and with the content local_rate_limited
.
Now, use curl
to make a request five times for the limited upstream service:
$ for i in {1..5}; do curl -si localhost:10000 | grep -E "x-local-rate-limit|429|local_rate_limited"; done
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
The first two requests get responses, and the remaining requests are refused with expected responses.
Step 3: Test rate limiting of Envoy’s statistics
The sandbox is configured with two ports serving Envoy’s admin and statistics interface:
9901
exposes the standard admin interface9902
exposes a rate limitied version of the admin interface
Use curl
to make a request five times for unlimited statistics on port 9901
, it should not contain any rate limiting responses:
$ for i in {1..5}; do curl -si localhost:9901/stats/prometheus | grep -E "x-local-rate-limit|429|local_rate_limited"; done
Now, use curl
to make a request five times for the limited statistics:
$ for i in {1..5}; do curl -si localhost:9902/stats/prometheus | grep -E "x-local-rate-limit|429|local_rate_limited"; done
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
HTTP/1.1 429 Too Many Requests
x-local-rate-limit: true
local_rate_limited
See also
- global rate limiting
Reference documentation for Envoy’s global rate limiting.