Before you begin

  1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

      export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo $INGRESS_GW_ADDRESS  
  
      export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
echo $INGRESS_GW_ADDRESS
  
      kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Request headers

You can rate limit requests based on certain request headers.

  1. Create a RateLimitConfig to define your rate limiting rules. In the following example, you create a policy that rate limits requests to one request per minute for requests with an x-type header.

      kubectl apply -f - <<EOF
apiVersion: ratelimit.solo.io/v1alpha1
kind: RateLimitConfig
metadata:
  name: ratelimit-config
  namespace: gloo-system
spec:
  raw:
    setDescriptors:
    - simpleDescriptors:
      - key: type
        value: 
      rateLimit:
        requestsPerUnit: 1
        unit: MINUTE
    rateLimits:
      - setActions:
        - requestHeaders:
            descriptorKey: type
            headerName: x-type
EOF

  2. Create a RouteOption resource that references the RateLimitConfig that you created.

      kubectl apply -f- <<EOF
apiVersion: gateway.solo.io/v1
kind: RouteOption
metadata:
  name: ratelimit
  namespace: httpbin
spec:
  options:
    rateLimitConfigs:
      refs:
      - name: ratelimit-config
        namespace: gloo-system
EOF

  3. Create an HTTPRoute resource for the httpbin app that applies the RouteOption resources that you created and rate limits requests on the ratelimit.example domain.

      kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: httpbin-ratelimit
  namespace: httpbin
spec:
  parentRefs:
  - name: http
    namespace: gloo-system
  hostnames:
    - ratelimit.example
  rules:
    - filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.solo.io
            kind: RouteOption
            name: ratelimit
      backendRefs:
        - name: httpbin
          port: 8000
EOF

  4. Send a few requests to the httpbin app on the ratelimit.example domain. Verify that your first request succeeds and you get back a 200 HTTP response code. Because you limited requests to one request per minute, subsequent requests within the same minute fail with a 429 HTTP response code.

      curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: mytype"
  
      curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: mytype"

    Example output for a successful response:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy

    Example output when rate limited:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Mon, 22 Apr 2024 18:33:09 GMT
< server: envoy
< content-length: 0

  5. Change the RatelimitConfig resource to rate limit requests based on a specific header value. In the following example, the rate limiting rule is applied to the x-type: exact-value request header.

      kubectl apply -f - <<EOF
apiVersion: ratelimit.solo.io/v1alpha1
kind: RateLimitConfig
metadata:
  name: ratelimit-config
  namespace: gloo-system
spec:
  raw:
    setDescriptors:
    - simpleDescriptors:
      - key: type
        value: exact-value
      rateLimit:
        requestsPerUnit: 1
        unit: MINUTE
    rateLimits:
      - setActions:
        - requestHeaders:
            descriptorKey: type
            headerName: x-type
EOF

  6. Send a few requests to the httpbin app on the ratelimit.example domain and include the x-type: mytype request header. Verify that your requests succeed and no rate limiting rules are applied

      curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: mytype"
  
      curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: mytype"

    Example output for a successful response:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy

  7. Send a few more requests to the httpbin app. This time, include the x-type: exact-value request header. Verify that the first request succeeds, but subsequent requests are rate limited.

      curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: ratelimit.example:8080" -H "x-type: exact-value"
  
      curl -v localhost:8080/status/200 -H "host: ratelimit.example" -H "x-type: exact-value"

    Example output for a successful response:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Mon, 22 Apr 2024 18:36:31 GMT
< content-length: 0
< x-envoy-upstream-service-time: 0
< server: envoy

    Example output when rate limited:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Mon, 22 Apr 2024 18:33:09 GMT
< server: envoy
< content-length: 0

  8. Optional: Remove the resources that you created in this guide.

      kubectl delete ratelimitconfig ratelimit-config -n gloo-system
kubectl delete routeoption ratelimit -n httpbin
kubectl delete httproute httpbin-ratelimit -n httpbin