Ocelot icon indicating copy to clipboard operation
Ocelot copied to clipboard
verified publisher icon ThreeMammals

Rate limit with RemoteIpAddress

Open EngRajabi opened this issue 6 years ago • 8 comments

New Feature

  • add rate limit with ip address
  • add StackBlockedRequests
  • add custom rate limit store(sql server, redis,...) read header key in config add IpWhitelist in config read StackBlockedRequests in config

EngRajabi avatar Nov 04 '19 11:11 EngRajabi

For a custom rate limit store, you can write a handler that implements IRateLimitCounterHandler interface.

Then you can replace the default implementation MemoryCacheRateLimitCounterHandler with your own handler.

https://github.com/ThreeMammals/Ocelot/blob/fbd9c01a425a0a3bda46717efda423883543fb76/src/Ocelot/DependencyInjection/OcelotBuilder.cs#L108

catcherwong avatar Nov 05 '19 00:11 catcherwong

Just do an UpsteamHeaderTransorm "UpstreamHeaderTransform": { "ClientId": "{RemoteIpAddress}" },

I actually struggled with this, thinking IP was the default. I had to debug the Ocelot source with ReSharper to figure it out. This works though... Unless I'm missing something.

m-hicks-OH avatar May 19 '21 19:05 m-hicks-OH

If you also need the X-Forwarded-For header in your downstream systems, you can configure Ocelot to use this header instead of the default ClientId header for rate limiting.

{
  "GlobalConfiguration": {
    "RateLimitOptions": {
      "DisableRateLimitHeaders": false,
      "HttpStatusCode": 429,
      "ClientIdHeader" : "X-Forwarded-For"
    }
  },
  "Routes": [
    {
    ... // route configuration
    "UpstreamHeaderTransform": {
        "X-Forwarded-For": "{RemoteIpAddress}"
      }
    }
  ]
}

eddex avatar Mar 13 '23 11:03 eddex

@EngRajabi commented on Nov 4, 2019

add rate limit with ip address

Now not implemented. And this feature could be with high priority.

add StackBlockedRequests

Sorry? What are you talking about?

add custom rate limit store(sql server, redis,...)

Seems, not implemented. Will you contribute?

read header key in config

Sorry? Isn't it already implemented by ClientIdHeader option?

add IpWhitelist in config

Isn't it implemented by ClientWhitelist option? Or, did you mean IP whitelist by RemoteIpAddress ? What do you think about Security Options feature?

read StackBlockedRequests in config

Sorry? What are you talking about?

Well...Will you contribute?

raman-m avatar Mar 17 '24 17:03 raman-m

@ggnaegi @RaynaldM Tom skipped this request in 2020 allowing ASP.NET team to deliver Rate Limiter feature in ASP.NET 7 (.NET 7) in November'2022. See: Future and ASP.NET Core Implementation And ASP.NET developers use native framework feature nowadays...

Will a new "Rate limit with RemoteIpAddress" feature be useful for our project? It is pretty useful from logical point of view. Seems ASP.NET Rate Limiter should have same functionality based on RemoteIpAddress.

raman-m avatar Mar 17 '24 17:03 raman-m

Hello, this request is very old. Currently, you can use asp's own ratelimit.

EngRajabi avatar Mar 18 '24 05:03 EngRajabi

This is one of our next topics, and we'll be analyzing whether it's useful and feasible.

RaynaldM avatar Apr 02 '24 06:04 RaynaldM

It is useful, @RaynaldM... I don't like current design based on ClientIdHeader... A bit strange solution. Also, ASP.NET has own implementation now in ASP.NET 7+. But I've not seen native RemoteIpAddress feature... ASP.NET offers to define a policy with predicate to check RemoteIpAddress... then you limit using this policy options...

But the problem is a lack of our dev time. Seems Mohsen will not contribute... Will you, @EngRajabi ?

raman-m avatar Apr 05 '24 16:04 raman-m