Web systems often face the challenge of numerous client requests within short timeframes. This can overwhelm servers, leading to slowdowns or failures. A rate limiter elegantly solves this by controlling the request frequency from each client. It acts as a gatekeeper, restricting API or service calls within a specified time window.
Rate limiting offers several crucial benefits:
Abuse Prevention: Mitigates excessive or malicious requests, such as denial-of-service (DoS) attacks, preventing system overload.
Resource Management: Ensures efficient resource allocation, preventing one client from monopolizing server resources and impacting others.
Performance Enhancement: Maintains application responsiveness even under high traffic loads by preventing request flooding.
Improved User Experience: Prevents user lockouts or performance degradation due to excessive requests.
Security Strengthening: Helps deter brute-force attacks or exploitation attempts by limiting request rates.
Let's examine a Go implementation using the popular Chi routing package and the golang.org/x/time/rate package (which employs the Token Bucket algorithm). This example uses http.Handler to control client request rates.
<code class="language-go">package main
import (
"encoding/json"
"net/http"
"strings"
"time"
"github.com/go-chi/chi"
"golang.org/x/time/rate"
)
func main() {
r := chi.NewRouter()
// Globally limits to 5 requests per second with a burst of 10
r.Use(RateLimiter(rate.Limit(5), 10, 1*time.Second))
// Test route
r.Get("/", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Request successful"))
})
http.ListenAndServe(":3000", r)
}
// RateLimiter middleware
func RateLimiter(limit rate.Limit, burst int, waitTime time.Duration) func(next http.Handler) http.Handler {
limiterMap := make(map[string]*rate.Limiter)
lastRequestMap := make(map[string]time.Time)
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ip := strings.Split(r.RemoteAddr, ":")[0]
limiter, exists := limiterMap[ip]
if !exists {
limiter = rate.NewLimiter(limit, burst)
limiterMap[ip] = limiter
}
lastRequestTime, lastRequestExists := lastRequestMap[ip]
if lastRequestExists && time.Since(lastRequestTime) < waitTime {
//Handle exceeding rate limit
http.Error(w, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)
return
}
if !limiter.Allow() {
http.Error(w, http.StatusText(http.StatusTooManyRequests), http.StatusTooManyRequests)
return
}
lastRequestMap[ip] = time.Now()
next.ServeHTTP(w, r)
})
}
}</code>Exceeding the rate limit results in a 429 (Too Many Requests) error.
Several methods exist for identifying and limiting client usage:
IP-Based: Limits requests from specific IP addresses. Simple but ineffective on shared networks (NAT).
Authentication Token-Based: Tracks requests based on authentication tokens (JWT, OAuth). More granular but requires authentication.
Client ID-Based: Uses unique client IDs (API keys). Effective for service integrations but vulnerable if keys are compromised.
Per-User Session: Limits requests based on unique session identifiers. Focuses on individual user experience.
Route/Endpoint-Based: Limits requests to specific high-traffic endpoints. Combines well with other methods.
The example uses IP addresses for simplicity, suitable for public APIs or applications without token-based authentication.
Rate limiting is vital for application security, stability, and user experience. This example demonstrates a practical and efficient implementation using Go and Chi. It's a critical technique for protecting against abuse and ensuring fair resource distribution.
The above is the detailed content of What is Rate Limiter and Why Use It?. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
