Comments (8)
Rate limiter has now been switched to use a rolling window. Still supports multiple processes (transaction MULTI) and can't be gamed by straddling the TTL since it uses a rolling record of request history in a sorted set, so straddling TTL will fail because request count follows the rate limit period window.
from tyk.
One more potential issue (I hope it's a bug and not a feature):
Let's say you have a rate of 1000 per 60 seconds.
- Make a single request
- Wait 58 seconds
- Make 998 requests
- Wait 2 seconds
- Make 999 requests
1,997 requests will be made in a period of 4 seconds and all will succeed.
I would like to see rate limiting prevent more than X requests over a given Y period. Instead of having the bucket completely emptied when the time elapses, the bucket can be slowly drained every second in order to prevent a burst of double the rate in a short time period.
from tyk.
Hi,
- Yes this true, it is used in reporting though, we will eventually phase it out
- Also aware of this one, and it should be simple to fix
General question: we only put quota thresholds in the response header because throttle thresholds change so quickly and would be different across parallelised responses.
But yes it could be added, we've just not seen the need for it yet.
On 13 Mar 2015, at 05:31, Thomas Peters [email protected] wrote:
According to Access Control (v1.5), allowance and rate should be set to the same value.
I'm seeing two issues:
allowance is never actually used. AFAICT, it's only ever decremented (session_manager.go).
rate has an off-by-one error. If you set rate to 5 and per to 5, this sounds like it should be: "max of 5 requests every 5 seconds". However, this will only allow 4 requests to succeed and will fail on the fifth request.
General question: If you are using rate limiting, should it return in the response headers? Currently I only see the quota information returned with a X-Ratelimit-Remaining header which isn't accurate as usually your rate limiting has tighter thresholds that your quota. Restated: should there be separate response headers: one for quota, and one for rate limiting?—
Reply to this email directly or view it on GitHub.
from tyk.
Ah, yes I see your point regarding the bucket emptying. It's an interesting option, would need to investigate further as our throttling mechanism is entirely in Redis to speed things up, not sure if it supports auto decrementing keys. I guess it could be done with a built in Lua script command.
Open to suggestions (and PR's) :-)
On 13 Mar 2015, at 05:41, Thomas Peters [email protected] wrote:
One more potential issue (I hope it's a bug and not a feature):
Let's say you have a rate of 1000 per 60 seconds.
Make a single request
Wait 58 seconds
Make 998 requests
Wait 2 seconds
Make 999 requests
I would like to see rate limiting prevent more than X requests over a given Y period. Instead of having the bucket completely emptied when the time elapses, the bucket can be slowly drained every second in order to prevent a burst of double the rate in a short time period.—
Reply to this email directly or view it on GitHub.
from tyk.
Thanks for the example, you're right, the tests don't catch the off by one issue - to be honest we really need to improve the testing throughout :-S
The off by one bug is quite a simple fix, we'll just need to increment the counter when it goes into the key store, that makes the rate limiter behave more rationally.
Will add this to the next release.
from tyk.
Just saw your commit to your fork, want to send a PR? Will merge it in :-)
from tyk.
I submitted the pull request. I'll give the bucket draining code some thought and will hopefully submit something soon.
from tyk.
Merged :-) thanks for that!
Yeah, I've been thinking about bucket draining too - the current setup does
all the work in redis, so it's quite efficient.
However, we could implement a more robust time-window based method that
still makes use of redis increments (so that multi-node deployments keep in
sync with parallel requests), so long as all the variables of the algo are
exposed it should work... Now just need the algorithm.
On Friday, March 13, 2015, Thomas Peters [email protected] wrote:
I submitted the pull request. I'll give the bucket draining code some
thought and will hopefully submit something soon.—
Reply to this email directly or view it on GitHub
#48 (comment).
from tyk.
Related Issues (20)
- Optimize rate limit using Lua script
- [Q]: Adding more tests and increasing the Code Coverage HOT 4
- Double response from go plugin virtual endpoint HOT 1
- [TT-5070]Wrong HTTP status code when panic happens inside Go plugin HOT 1
- [TT-11223]ERROR: Tyk PUMP not able to connect to Redis Sentinels HOT 1
- Error with middleware in one gateway while other pods are working fine HOT 1
- KV Store config not read in tyk.conf (security.certificates.upstream) HOT 4
- User not authorized when using basic authentication HOT 1
- OAS API: transformRequestMethod.toMethod expects boolean instead of string HOT 1
- Automatic retries when there are specific errors from Upstream
- How to define proxy.listen_path as exact path? HOT 4
- HTTP/2 Continuation Frame Vulnerability
- graphql playground error for federation
- Add HTTP proxy support to MDCB
- Tyk cannot validate client certificates against a certificate authority HOT 2
- Profile Raw Editor cursor placement HOT 2
- Sd
- Sd HOT 1
- Support multiple JWKS sources / one source per OIDC provider/issuer
- [TT-12318] SSE Streaming is broken HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tyk.