Redis Throttle Middleware
This is a fork of the Rack Throttle middleware
that provides logic for rate-limiting incoming HTTP requests to Rack applications using
Redis as storage system. You can use Rack::RedisThrottle with any Ruby web framework based
on Rack, including Ruby on Rails 3.0 and Sinatra. This gem was designed to experiment rate
limit with Rails 3.x and Doorkeeper.
Thanks to Open Source
Redis Throttle Middleware come to life thanks to the work I've made in Lelylan, an open source microservices architecture for the Internet of Things. If this project helped you in any way, think about giving us a star on Github.
Features
- Works only with Redis.
- Automatically deploy by setting
ENV['REDIS_RATE_LIMIT_URL']. - When the Redis connection is not available redis throttle skips the rate limit check (it does not blow up).
- Automatically adds
X-RateLimit-LimitandX-RateLimit-Remainingheaders. - Set MockRedis while running your tests
Requirements
Redis Throttle is tested against MRI 1.9.3, 2.0, and 2.1.x.
Installation
Update your gem file and run bundle
gem 'redis-throttle', git: 'git://github.com/lelylan/redis-throttle.git'Rails Example
# At the top of config/application.rb
require 'rack/redis_throttle'
# Inside the class of config/application.rb
class Application < Rails::Application
# Limit the daily number of requests to 2500
config.middleware.use Rack::RedisThrottle::Daily, max: 2500
endSinatra example
#!/usr/bin/env ruby -rubygems
require 'sinatra'
require 'rack/throttle'
use Rack::Throttle::Daily, max: 2500Rack app example
#!/usr/bin/env rackup
require 'rack/throttle'
use Rack::Throttle::Daily max: 2500
run lambda { |env| [200, {'Content-Type' => 'text/plain'}, "Hello, world!\n"] }Customizations
You can fully customize the implementation details of any of these strategies by simply subclassing one of the default implementations.
In our example we want to reach these goals:
- We want to use Doorkeper as authorization system (OAuth2)
- The number of daily requests are based on the user id and not the IP
address (default in
Rack::RedisThrottle) - The number of daily requests is dynamically set per user by the
user#rate_limitfield.
Now subclass Rack::RedisThrottle::Daily, create your own rules and use it in your Rails app
# /lib/middlewares/daily_rate_limit
require 'rack/redis_throttle'
class DailyRateLimit < Rack::RedisThrottle::Daily
def call(env)
@user_rate_limit = user_rate_limit(env)
super
end
def client_identifier(request)
@user_rate_limit.respond_to?(:_id) ? @user_rate_limit._id : 'user-unknown'
end
def max_per_window(request)
@user_rate_limit.respond_to?(:rate_limit) ? @user_rate_limit.rate_limit : 1000
end
# Rate limit only requests sending the access token
def need_protection?(request)
request.env.has_key?('HTTP_AUTHORIZATION')
end
private
def user_rate_limit(env)
request = Rack::Request.new(env)
token = request.env['HTTP_AUTHORIZATION'].split(' ')[-1]
access_token = Doorkeeper::AccessToken.where(token: token).first
access_token ? User.find(access_token.resource_owner_id) : nil
end
endNow you can use it in your Rails App.
# config/application.rb
module App
class Application < Rails::Application
# Puts your rate limit middleware as high as you can in your middleware stack
config.middleware.insert_after Rack::Lock, 'DailyRateLimit'Rate limit headers
Rack::RedisThrottle automatically sets two rate limits headers to let the
client know the max number of requests and the one availables.
HTTP/1.1 200 OK
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4999
When you exceed the API calls limit your request is forbidden.
HTTP/1.1 403 Forbidden
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 0
Testing your apps
While testing your Rack app Mock the redis connection by requiring this file
# Rate limit fake redis connection
require 'rack/redis_throttle/testing/connection'HTTP client identification
The rate-limiting counters stored and maintained by Rack::RedisThrottle are
keyed to unique HTTP clients. By default, HTTP clients are uniquely identified
by their IP address as returned by Rack::Request#ip. If you wish to instead
use a more granular, application-specific identifier such as a session key or
a user account name, you need only subclass a throttling strategy implementation
and override the #client_identifier method.
HTTP Response Codes and Headers
When a client exceeds their rate limit, Rack::RedisThrottle by default returns
a "403 Forbidden" response with an associated "Rate Limit Exceeded" message
in the response body. If you need personalize it, for example with a
JSON message.
def http_error(request, code, message = nil, headers = {})
[ code, { 'Content-Type' => 'application/json' }.merge(headers), [body(request).to_json] ]
end
def body(request)
{
status: 403,
method: request.env['REQUEST_METHOD'],
request: "#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['PATH_INFO']}",
description: 'Rate limit exceeded',
daily_rate_limit: max_per_window(request)
}
endNotes
Testing coverage
Only Rack::RedisThrottle::Daily has a test suite. We will cover all
the gem whenever I'll find more time and I'll see it being used widely.
Contributing
Fork the repo on github and send a pull requests with topic branches. Do not forget to provide specs to your contribution.
Running specs
- Fork and clone the repository.
- Run
gem install bundlerto get the latest for the gemset. - Run
bundle installfor dependencies. - Run
bundle exec guardand press enter to execute all specs.
Spec guidelines
Follow betterspecs.org guidelines.
Coding guidelines
Follow github guidelines.
Feedback
Use the issue tracker for bugs. Mail or Tweet us for any idea that can improve the project.
Links
- GIT Repository
- Initial inspiration from Martinciu's dev blog
Authors
Andrea Reginato Thanks to Lelylan for letting me share the code.
Contributors
Special thanks to the following people for submitting patches.
Changelog
See CHANGELOG
Copyright
Redis Throttle is free and unencumbered public domain software. See LICENCE