RateLimit
- Configuration Example
- Configuration Options
  - average
  - burst
  - sourceCriterion
    - sourceCriterion.ipStrategy
      - ipStrategy.depth
      - ipStrategy.excludedIPs
    - sourceCriterion.requestHeaderName
    - sourceCriterion.requestHost

RateLimit

To Control the Number of Requests Going to a Service

The RateLimit middleware ensures that services will receive a fair number of requests, and allows you define what is fair.

Configuration Example

Docker

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"

Kubernetes

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
      average: 100
      burst: 50

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "50"
}

Rancher

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"

File (TOML)

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    average = 100
    burst = 50

File (YAML)

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
http:
  middlewares:
    test-ratelimit:
      rateLimit:
        average: 100
        burst: 50

Configuration Options

average

Average is the maximum rate, in requests/s, allowed for the given source.It defaults to 0, which means no rate limiting.

Docker

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
      average: 100

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.average": "100",
}

Rancher

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"

File (TOML)

[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    average = 100

File (YAML)

http:
  middlewares:
    test-ratelimit:
      rateLimit:
        average: 100

burst

Burst is the maximum number of requests allowed to go through in the same arbitrarily small period of time.It defaults to 1.

Docker

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
      burst: 100

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.burst": "100",
}

Rancher

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"

File (TOML)

[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    burst = 100

File (YAML)

http:
  middlewares:
    test-ratelimit:
      rateLimit:
        burst: 100

sourceCriterion

SourceCriterion defines what criterion is used to group requests as originating from a common source.The precedence order is ipStrategy, then requestHeaderName, then requestHost.If none are set, the default is to use the request's remote address field (as an ipStrategy).

sourceCriterion.ipStrategy

The ipStrategy option defines two parameters that sets how Traefik will determine the client IP: depth, and excludedIPs.

ipStrategy.depth

The depth option tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).

If depth is greater than the total number of IPs in X-Forwarded-For, then the client IP will be empty.
depth is ignored if its value is lesser than or equal to 0.

Example of Depth & X-Forwarded-For

If depth was equal to 2, and the request X-Forwarded-For header was "10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1" then the "real" client IP would be "10.0.0.1" (at depth 4) but the IP used as the criterion would be "12.0.0.1" (depth=2).

`X-Forwarded-For`	`depth`	clientIP
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`1`	`"13.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`3`	`"11.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`5`	`""`

ipStrategy.excludedIPs

excludedIPs tells Traefik to scan the X-Forwarded-For header and pick the first IP not in the list.

Important

If depth is specified, excludedIPs is ignored.

Example of ExcludedIPs & X-Forwarded-For

`X-Forwarded-For`	`excludedIPs`	clientIP
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"12.0.0.1,13.0.0.1"`	`"11.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"15.0.0.1,13.0.0.1"`	`"12.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"10.0.0.1,13.0.0.1"`	`"12.0.0.1"`
`"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"`	`"15.0.0.1,16.0.0.1"`	`"13.0.0.1"`
`"10.0.0.1,11.0.0.1"`	`"10.0.0.1,11.0.0.1"`	`""`

Docker

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
    sourceCriterion:
      ipStrategy:
        excludedIPs:
        - 127.0.0.1/32
        - 192.168.1.7

Rancher

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips": "127.0.0.1/32, 192.168.1.7"
}

File (TOML)

[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
      excludedIPs = ["127.0.0.1/32", "192.168.1.7"]

File (YAML)

http:
  middlewares:
    test-ratelimit:
      rateLimit:
        sourceCriterion:
          ipStrategy:
            excludedIPs:
            - "127.0.0.1/32"
            - "192.168.1.7"

sourceCriterion.requestHeaderName

Requests having the same value for the given header are grouped as coming from the same source.

Docker

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
    sourceCriterion:
      requestHeaderName: username

Rancher

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername": "username"
}

File (TOML)

[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
      requestHeaderName = "username"

File (YAML)

http:
  middlewares:
    test-ratelimit:
      rateLimit:
        sourceCriterion:
          requestHeaderName: username

sourceCriterion.requestHost

Whether to consider the request host as the source.

Docker

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"

Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  rateLimit:
    sourceCriterion:
      requestHost: true

Rancher

labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"

Marathon

"labels": {
  "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost": "true"
}

File (TOML)

[http.middlewares]
  [http.middlewares.test-ratelimit.rateLimit]
    [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
      requestHost = true

File (YAML)

http:
  middlewares:
    test-ratelimit:
      rateLimit:
        sourceCriterion:
          requestHost: true