Hello!
How do you solve rate-limiting in your servers? Do you implement it yourself, use some library, or is it included within your host?
I’m trying to collect some ideas here for work.
Cloudflare, nginx and having apps that nobody uses is my personal solution…
Few points off the top of my head:
- If it’s a small project, just don’t do it. Focus on the product and don’t optimize prematurely.
- Having said that, Redis is the classic solution. I can detail more if you want.
- Some hosting platforms have built-in rate limiting. The big cloud vendors have built-in solutions (GCP Cloud Armor, Vercel rate limiting, etc.).
Rate-limiting in what fashion?
Protecting specific endpoints, the application overall, or what’s the “end goal” effectively?
The benefit you have of doing it on webserver level, for example, is it’s going to be much quicker and resource-friendly compared to doing it in the application.
However, it will also be a lot less flexible, and not exactly a whole lot of feedback can be provided to the client - unless you, for example, do it in nginx-lua.
Doing it in the application has the benefit you can do better handling of clients, easier to protect specific endpoints, and you can protect on more than just e.g. the IP address of the user, but e.g. as a combo of API token + IP for example.
Sometimes you do both for different parts of the application. I don’t think one can ever end up with a “one size fits all” solution.
I personally have application level rate-limiting for APIs, but use a WAF rate-limiter to protect login pages for example.
Cloudflare WAF and/or Laravel’s built-in rate limiting depending on the situation.
Run db locally where I do not have rate limits, export the db and upload it to the live db.
Let my reverse proxy (probably apache or nginx) handle it.
Tobin said:
Let my reverse proxy (probably apache or nginx) handle it.
Are you tying the reverse proxy into your authentication somehow? Or do you just mean for IP-based limiting?
Tobin said:
Let my reverse proxy (probably apache or nginx) handle it.
Does apache or nginx come with plugins or settings for this?
Tobin said:
Let my reverse proxy (probably apache or nginx) handle it.
Does apache or nginx come with plugins or settings for this?
Yup.
I haven’t needed it. It hasn’t been a problem to solve.
Avery said:
I haven’t needed it. It hasn’t been a problem to solve.
…Then why comment?
Because sometimes the correct “solution” is to do nothing at all. There’s a pretty decent chance OP is asking about rate limiting for something that maybe gets low double digits of traffic, so this would be the correct “solution” in that case.
@Avery
For a hobby project, I’d tend to agree. OP said they need this for work though, so I’d say rate limiting is probably a good preventative practice. If they’re already asking because work wants it, I think it’s likely they have budget and capacity to implement it.
I can see a company not having the resources to do it, but few companies would find it acceptable for their API to see downtime due to an attack.