RateLimit Middleware
The RateLimit middleware protects your services by controlling the rate of incoming requests, ensuring fair usage and preventing abuse. This middleware applies globally to entire routes, providing comprehensive protection without requiring individual path configuration.
Basic Rate Limiting
Configure basic rate limiting to control request frequency:
middlewares:
- name: rate-limit
type: rateLimit
rule:
unit: second
requestsPerUnit: 60
Parameters
| Parameter | Type | Description | Options |
|---|---|---|---|
unit | string | Time period for rate calculation | second, minute, hour |
requestsPerUnit | integer | Maximum requests allowed per time unit | Any positive integer |
banAfter | integer | Number of rate limit violations before banning | Any positive integer |
banDuration | string | Duration of the ban | Time units: ms, s, m, h |
Example Scenarios
High-frequency API (1 request per second):
rule:
unit: second
requestsPerUnit: 1
Standard API (100 requests per minute):
rule:
unit: minute
requestsPerUnit: 100
Bulk operations (1000 requests per hour):
rule:
unit: hour
requestsPerUnit: 1000
Advanced Rate Limiting with Automatic Banning
For enhanced protection against persistent abuse, enable automatic banning of clients that repeatedly exceed rate limits:
middlewares:
- name: rate-limit-with-ban
type: rateLimit
rule:
unit: minute
requestsPerUnit: 100
banAfter: 5
banDuration: 30m
Ban Duration Examples
500ms- 500 milliseconds30s- 30 seconds15m- 15 minutes2h- 2 hours1h30m- 1 hour and 30 minutes
How It Works
- Rate Tracking: The middleware monitors request frequency per client
- Limit Enforcement: Requests exceeding the configured rate are rejected with HTTP 429 (Too Many Requests)
- Violation Counting: When banning is enabled, rate limit violations are tracked per client
- Automatic Banning: After reaching the
banAfterthreshold, the client is temporarily banned - Ban Expiry: Banned clients regain access after the
banDurationexpires