Rate limit HTTP requests by URL parameter

As an alternative to rate limiting by URL path, you can configure request rate limiting by URL parameter. This approach can be useful if your clients include an API token in the URL to identify themselves. This configuration is based on a sliding window rate limit configuration.

In the following example, the client is expected include a token with their requests, as follows:

http://yourwebsite.com/api/v1/does_a_thing?token=abcd1234

For this example, the configuration applies a limit of 1000 requests per 24 hour period, and it also requires that the user supply a token as shown above.

1. In the frontend, add a stick table with a type of string and which stores the HTTP request rate. The sliding window size in this example is 24 hours:

   frontend website
       bind :80
       stick-table type string size 100k expire 24h store http_req_rate(24h)

2. Create an ACL named has_token that indicates if the desired token is included in the URL:

   # check for token parameter
   acl has_token url_param(token) -m found

3. Create an ACL named exceeds_limit that finds the current request count for the last 24 hours and compares it to the request rate limit threshold, 1000:

   # check if exceeds limit
   acl exceeds_limit url_param(token),table_http_req_rate() gt 1000

4. Add an http-request track directive to store a URL parameter named token as the key in the table:

   # start tracking based on token parameter
   http-request track-sc0 url_param(token) unless exceeds_limit

   The unless exceeds_limit clause serves an important purpose. It prevents the counter from continuing to increment once the client has exceeded the limit. The clause also allows the entry to expire so that the client is not permanently blocked.

5. If the token is missing or if the limit is exceeded, deny the request:

   # Deny if missing token or exceeds limit
   http-request deny deny_status 429 if !has_token or exceeds_limit

Next up