Rate limiting is a mechanism that many developers may have to deal with at some point in their life. It’s useful for a variety of purposes like sharing access to limited resources or limiting the number of requests made to an API endpoint and responding with a 429 status code. Building a rate limiter with Redis is easy because of two commands INCR and EXPIRE. The basic concept is that you want to limit requests to a particular service in a given time period. Let’s say we have a service that has users identified by an API key. This service states that it is limited to 20 requests in any given minute.
In this tutorial, we will see how to deploy Rate Limiting using Redis and Go.
Create your free Redis Enterprise Cloud account. Follow this link to create a Redis Enterprise Cloud subscription and database as shown below:
Save the database endpoint URL and password for future reference.
If you are using Heroku for the first time, create your new Heroku account through this link.
For this demonstration, we will be using a Simple Rate Limiting application using Go.
Go to the Heroku dashboard, click "Settings" and set REDIS_HOST, REDIS_PORT and REDIS_PASSWORD under the Config Vars. Refer to Step 1 for the correct values to use.
You now have a functioning Git repository that contains a simple application as well as a package.json file, which is used by Node’s dependency manager.
Heroku generates a random name (in this case powerful-fortress-83061) for your app, or you can pass a parameter to specify your own app name. Now deploy your code:
Open https://powerful-fortress-83061.herokuapp.com/ to see your application.
This app will block connections from a client after surpassing certain amount of requests (default: 10) per time period (default: 10 sec). The application returns the following headers in response to each request. The values of these headers tell the user how many requests they have remaining before they reach the limit. On the 10th run the server should return an HTTP status code of 429 Too Many Requests
CookieValue: md5(<current time>)
<current time> - request time in a format:
2006-01-02 15:04:05.999999999 -0700 MST
- Read requests for user by
GET requests.<USER_IDENTIFIER>- get
USER_IDENTIFIERfrom request cookie
- Set request counter with expired 10 sec if not exist in
SETEX requests.<USER_IDENTIFIER> 10 0
SETEX requests.0cbc6611f5540bd0809a388dc95a615b 10 0
- Increment requests counter for each of user request:
- Get requests number for user:
c corresponds to the active controller and
c.r is a Redis client.
200 - OK- responded
406 - Not Acceptable- could not read cookie from request, returned when cookies are not allowed on the client side
429 - Too Many Requests- user send more than 10 requests / 10sec
X-RateLimit-Limit: 10- allowed number of limits per 10sec
X-RateLimit-Remaining: 9- number of left request in 10sec window