Skip to content
home
1.19.x
Security
Rate limiting
Global rate limiting
If you are interested in trying out Gloo Gateway with the Kubernetes Gateway API, check out Solo Enterprise for kgateway. This version adds enterprise functionality on top of the kgateway open source project.

Set-style API

Page as Markdown
Use the set-style API to configure your rate limiting rules.
Before you begin

  1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.
  2. Get the external address of the gateway and save it in an environment variable.
    export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
    kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080
Request headers

You can rate limit requests based on certain request headers.
  1. Create a RateLimitConfig to define your rate limiting rules. In the following example, you create a policy that rate limits requests to one request per minute for requests with an x-type header.
    kubectl apply -f - <<EOF
apiVersion: ratelimit.solo.io/v1alpha1
kind: RateLimitConfig
metadata:
  name: ratelimit-config
  namespace: gloo-system
spec:
  raw:
    setDescriptors:
    - simpleDescriptors:
      - key: type
        value: 
      rateLimit:
        requestsPerUnit: 1
        unit: MINUTE
    rateLimits:
      - setActions:
        - requestHeaders:
            descriptorKey: type
            headerName: x-type
EOF
  2. Create a RouteOption resource that references the RateLimitConfig that you created.
    kubectl apply -f- <<EOF
apiVersion: gateway.solo.io/v1
kind: RouteOption
metadata:
  name: ratelimit
  namespace: httpbin
spec:
  options:
    rateLimitConfigs:
      refs:
      - name: ratelimit-config
        namespace: gloo-system
EOF
  3. Create an HTTPRoute resource for the httpbin app that applies the RouteOption resources that you created and rate limits requests on the ratelimit.example domain.
    kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-ratelimit
  namespace: httpbin
spec:
  parentRefs:
  - name: http
    namespace: gloo-system
  hostnames:
    - ratelimit.example
  rules:
    - filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.solo.io
            kind: RouteOption
            name: ratelimit
      backendRefs:
        - name: httpbin
          port: 8000
EOF
  4. Send a few requests to the httpbin app on the ratelimit.example domain. Verify that your first request succeeds and you get back a 200 HTTP response code. Because you limited requests to one request per minute, subsequent requests within the same minute fail with a 429 HTTP response code.
    curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: mytype"
    curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: mytype"
    Example output for a successful response:
    * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy
    Example output when rate limited:
    * Mark bundle as not supporting multiuse
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Mon, 22 Apr 2024 18:33:09 GMT
< server: envoy
< content-length: 0
  5. Change the RatelimitConfig resource to rate limit requests based on a specific header value. In the following example, the rate limiting rule is applied to the x-type: exact-value request header.
    kubectl apply -f - <<EOF
apiVersion: ratelimit.solo.io/v1alpha1
kind: RateLimitConfig
metadata:
  name: ratelimit-config
  namespace: gloo-system
spec:
  raw:
    setDescriptors:
    - simpleDescriptors:
      - key: type
        value: exact-value
      rateLimit:
        requestsPerUnit: 1
        unit: MINUTE
    rateLimits:
      - setActions:
        - requestHeaders:
            descriptorKey: type
            headerName: x-type
EOF
  6. Send a few requests to the httpbin app on the ratelimit.example domain and include the x-type: mytype request header. Verify that your requests succeed and no rate limiting rules are applied
    curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: mytype"
    curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: mytype"
    Example output for a successful response:
    * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy
  7. Send a few more requests to the httpbin app. This time, include the x-type: exact-value request header. Verify that the first request succeeds, but subsequent requests are rate limited.
    curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: exact-value"
    curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: exact-value"
    Example output for a successful response:
    * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy
    Example output when rate limited:
    * Mark bundle as not supporting multiuse
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Mon, 22 Apr 2024 18:33:09 GMT
< server: envoy
< content-length: 0
  8. Optional: Remove the resources that you created in this guide.
    kubectl delete ratelimitconfig ratelimit-config -n gloo-system
kubectl delete routeoption ratelimit -n httpbin
kubectl delete httproute httpbin-ratelimit -n httpbin
Envoy API