Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

limitCountRedis: add option to disable x-envoy-ratelimited #835

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

limitCountRedis: add option to disable x-envoy-ratelimited #835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8c55999
feat: use enable_limit_quota_headers as ratelimited option
yizhibian Jan 10, 2025
c57842f
feat: add disable_x_envoy_ratelimited_header option
yizhibian Jan 11, 2025
19531ea
feat: update doc
yizhibian Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions plugins/plugins/limitcountredis/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ func TestConfig(t *testing.T) {
name: "pass",
input: `{"address":"127.0.0.1:6479", "rules":[{"count":1,"timeWindow":"1s"}], "prefix":"test"}`,
},
{
name: "disable x-envoy-ratelimited header",
input: `{"address":"127.0.0.1:6479", "rules":[{"count":1,"timeWindow":"1s"}], "prefix":"test", "disable_x_envoy_ratelimited_header": true}`,
},
}

for _, tt := range tests {
Expand Down
5 changes: 3 additions & 2 deletions plugins/plugins/limitcountredis/filter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,9 @@ func (f *filter) DecodeHeaders(headers api.RequestHeaderMap, endStream bool) api
remain := ress[2*i].(int64)
if remain < 0 {
hdr := http.Header{}
// TODO: add option to disable x-envoy-ratelimited
hdr.Set("x-envoy-ratelimited", "true")
if !config.DisableXEnvoyRatelimitedHeader {
hdr.Set("x-envoy-ratelimited", "true")
}
status := 429
if config.RateLimitedStatus >= 400 { // follow the behavior of Envoy
status = int(config.RateLimitedStatus)
Expand Down
34 changes: 18 additions & 16 deletions site/content/en/docs/reference/plugins/limit_count_redis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,24 @@ The `limitCountRedis` plugin implements a global fixed window rate-limiting by s

## Configuration

| Name | Type | Required | Validation | Description |
|-------------------------|-------------------------------------|----------|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| address | string | False | | Redis address. Only one of `address` and `cluster` can be configured. |
| cluster | Cluster | False | | Redis cluster configuration. Only one of `address` and `cluster` can be configured. |
| prefix | string | True | min_len: 1, max_len: 128 | The prefix will be used as the prefix of Redis key. This field is introduced so that the recreation of the route won't reset the counter as the new limiter will use the same key as the previous one. Normally, put a random string in it is enough. To share the limit counters across multiple routes, we can use the same prefix. In this case, ensure the configurations of `limitCountRedis` plugin in these routes are the same. |
| rules | Rule | True | min_items: 1, max_items: 8 | Rules |
| failureModeDeny | boolean | False | | By default, if access to Redis fails, the request is allowed through. When true, it denies the request. |
| enableLimitQuotaHeaders | boolean | False | | Whether to set response headers related to rate-limiting quotas |
| username | string | False | | Username for accessing Redis |
| password | string | False | | Password for accessing Redis |
| tls | boolean | False | | Whether to access Redis over TLS |
| tlsSkipVerify | boolean | False | | Whether to skip verification when accessing Redis over TLS |
| statusOnError | [StatusCode](../type.md#statuscode) | False | | The status code used to deny requests when Redis is inaccessible and `failureModeDeny` is true. Defaults to 500. |
| rateLimitedStatus | [StatusCode](../type.md#statuscode) | False | | The status code for responses denied due to rate-limiting. Defaults to 429. This setting only takes effect when it's 400 or above. |

Each rule's count is independent. Rate-limiting action is triggered once any rule's quota is exhausted. Responses that are denied due to rate-limiting will include the header `x-envoy-ratelimited: true`. If `enableLimitQuotaHeaders` is set to `true` and accessing to redis succeed, all responses will include the following three headers:
| Name | Type | Required | Validation | Description |
|--------------------------------|-------------------------------------|----------|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| address | string | False | | Redis address. Only one of `address` and `cluster` can be configured. |
| cluster | Cluster | False | | Redis cluster configuration. Only one of `address` and `cluster` can be configured. |
| prefix | string | True | min_len: 1, max_len: 128 | The prefix will be used as the prefix of Redis key. This field is introduced so that the recreation of the route won't reset the counter as the new limiter will use the same key as the previous one. Normally, put a random string in it is enough. To share the limit counters across multiple routes, we can use the same prefix. In this case, ensure the configurations of `limitCountRedis` plugin in these routes are the same. |
| rules | Rule | True | min_items: 1, max_items: 8 | Rules |
| failureModeDeny | boolean | False | | By default, if access to Redis fails, the request is allowed through. When true, it denies the request. |
| enableLimitQuotaHeaders | boolean | False | | Whether to set response headers related to rate-limiting quotas |
| username | string | False | | Username for accessing Redis |
| password | string | False | | Password for accessing Redis |
| tls | boolean | False | | Whether to access Redis over TLS |
| tlsSkipVerify | boolean | False | | Whether to skip verification when accessing Redis over TLS |
| statusOnError | [StatusCode](../type.md#statuscode) | False | | The status code used to deny requests when Redis is inaccessible and `failureModeDeny` is true. Defaults to 500. |
| rateLimitedStatus | [StatusCode](../type.md#statuscode) | False | | The status code for responses denied due to rate-limiting. Defaults to 429. This setting only takes effect when it's 400 or above. |
| disableXEnvoyRatelimitedHeader | bool | False | | Whether to disable the `x-envoy-ratelimited` response header when rate limiting is triggered | |


Each rule's count is independent. Rate-limiting action is triggered once any rule's quota is exhausted. Responses that are denied due to rate-limiting will include the header `x-envoy-ratelimited: true`(which can be disabled by config). If `enableLimitQuotaHeaders` is set to `true` and accessing to redis succeed, all responses will include the following three headers:

* `x-ratelimit-limit`: Represents the applied rate-limiting rule. The format is "the rule with the least remaining quota, (rule quota;w=time window){one or more rules}", e.g., `2, 2;w=60`.
* `x-ratelimit-remaining`: Represents the remaining quota of the rule with the least remaining quota, with a minimum value of `0`.
Expand Down
Loading
Loading