How to build a Rate Limiter using Redis

Author:

Ajeet Raina, Developer Marketing Manager at Redis

Rate limiting is a mechanism that many developers may have to deal with at some point in their life. It’s useful for a variety of purposes like sharing access to limited resources or limiting the number of requests made to an API endpoint and responding with a 429 status code.

In this tutorial, we will see how to implement Rate Limiting using various programming languages:

Python
NodeJS
Java
Ruby

Using Python#

Step 1. Pre-requisite#

Python
Docker
Docker Compose

Step 2. Clone the repository#

git clone https://github.com/redis-developer/basic-rate-limiting-demo-python

Step 3. Run docker compose or install redis manually#

docker network create global
docker-compose up -d --build

If you install redis manually open django-backend/configuration folder and copy .env.example to create .env. And provide the values for environment variables

- REDIS_HOST: Redis server host
- REDIS_PORT: Redis server port
- REDIS_DB: Redis server db index
- REDIS_PASSWORD: Redis server password

Step 4. Setup and run#

Install python, pip and venv (on mac: https://installpython3.com/mac/)

Use python version: 3.8

python3 -m venv venv
source ./venv/bin/activate
pip3 install -r requirements.txt
python3 manage.py collectstatic
python3 manage.py runserver

Step 5. Accessing the rate limiting app

Rate Limiting

How it works?#

How the data is stored:#

This app will block connections from a client after surpassing certain amount of requests (default: 10) per time (default: 10 sec) The application will return after each request the following headers. That will let the user know how many requests they have remaining before the run over the limit. On the 10th run server should return an HTTP status code of 429 Too Many Requests

SETNX is short for "SET if Not eXists". It basically sets key to hold string value if key does not exist. In that case, it is equal to SET. When key already holds a value, no operation is performed. New responses are added key-ip as shown below:

 SETNX your_ip:PING limit_amount
 Example: SETNX 127.0.0.1:PING 10 

More information

Set a timeout on key:

 EXPIRE your_ip:PING timeout
 Example: EXPIRE 127.0.0.1:PING 1000 

More information

How the data is accessed:#

Next responses are get bucket:

 GET your_ip:PING
 Example: GET 127.0.0.1:PING   

More information

Next responses are changed bucket:

 DECRBY your_ip:PING amount
 Example: DECRBY 127.0.0.1:PING 1

More information

Using Ruby#

The server will allow sending particular number of requests (permitted_requests_count stored in Redis) within a 10 second window. If you send more than that, all additional requests will be blocked.

Step 1. Pre-requisite#

Ruby - v2.7.0
Rails - v5.2.4.5
NPM - v7.6.0

Step 2. Clone the repository#

 git clone https://github.com/redis-developer/basic-redis-rate-limiting-demo-ruby/

Step 3. Copy files and set proper data inside#

Copy config/application.yml.example to config/application.yml

 cp config/application.yml.example config/application.yml

- REDIS_URL: Redis server URI

Step 4. Install dependencies#

bundle install

Step 5. Run Redis Docker container#

 docker run -d -p 6379:6379 redislabs/redismod

Step 6. Running the app#

rails s

Step 7. Accessing the app#

Go to the browser and type https://localhost:3000 to access the app

rate-limiting

How it works?#

This app was built using rack-defense gem which will block connections from a client after surpassing certain amount of requests (permitted_requests_count, default: 10) per time (10 seconds).

Code to configure rack-defence#

 Rack::Defense.setup do |config|
 config.store = ENV['REDIS_URL']

 permitted_requests_count = config.store.get('permitted_requests_count')

 if permitted_requests_count.present?
   permitted_requests_count = permitted_requests_count.to_i
 else
   config.store.set('permitted_requests_count', 10)
 end

 # 10000 - time, ms
 # || 10 - to avoid ArgumentError on first run
 config.throttle('ping', permitted_requests_count || 10, 10000) do |req|
   req.ip if req.path == '/ping' && req.get?
  end
 end

The application will return response headers after each successful request:

 # example
 X-RateLimit-Limit: 10
 X-RateLimit-Remaining: 9

The application will also return request header after each request (including blocking requests) with count of remaining requests:

 # example
 RateLimit-Remaining: 1

How the data is stored:#

The permitted_requests_count is stored in Redis store in string format. By default, it's 10. You can set new VALUE with these commands:

 SET permitted_requests_count VALUE
 INCR permitted_requests_count
 DECR permitted_requests_count

IMPORTANT! For the new permitted_requests_count value to take effect you need to restart an app (rails) server after these commands.

How the data is accessed:#

You can get permitted_requests_count with this command:

GET permitted_requests_count

How to build a Rate Limiter using Redis

Using Python#

Step 1. Pre-requisite#

Step 2. Clone the repository#

Step 3. Run docker compose or install redis manually#

Step 4. Setup and run#

How it works?#

How the data is stored:#

How the data is accessed:#

Using NodeJS#

Step 1. Pre-requisite#

Step 2. Clone the repository#

Step 3. Copy file and set proper data inside#

Step 4. Install dependencies#

Step 5. Run docker compose or install redis manually#

Step 6. Running the frontend#

Step 7. Running the backend#

Step 8. Accessing the rate limiting app#

Using Java#

Step 1. Pre-requisite#

Step 2. Clone the repository#

Step 3. Run docker compose or install redis manually#

Step 4. Setting up an environmental variable#

Step 5. Setup and run#

Step 6. Accessing the rate limiting app#

Using Ruby#

Step 1. Pre-requisite#

Step 2. Clone the repository#

Step 3. Copy files and set proper data inside#

Step 4. Install dependencies#

Step 5. Run Redis Docker container#

Step 6. Running the app#

Step 7. Accessing the app#

How it works?#

Code to configure rack-defence#

How the data is stored:#

How the data is accessed:#

References#