Skip to content

Distributed Rate Limiting

Traefik Enterprise supports distributed rate limiting. It's a middleware just like Traefik Proxy's rate limiting middleware, but it ensures that requests are limited over time throughout your cluster and not just on an individual proxy.

Configuration Example

To use distributed rate limiting, you'll need to deploy a service with the middleware enabled. Here are some examples depending on the provider you're using:

# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
labels:
  - "traefik.http.middlewares.test-ratelimit.plugin.ratelimit.average=100"
  - "traefik.http.middlewares.test-ratelimit.plugin.ratelimit.burst=50"
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  plugin:
    rateLimit:
      average: 100
      burst: 50
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
http:
  middlewares:
    test-ratelimit:
      plugin:
        rateLimit:
          average: 100
          burst: 50
# Here, an average of 100 requests per second is allowed.
# In addition, a burst of 50 requests is allowed.
[http.middlewares]
  [http.middlewares.test-ratelimit.plugin.rateLimit]
    average = 100
    burst = 50

Configuration Options

For more information on the different configuration possibilities (average, burst, sourceCriterion etc.), refer to the Traefik Proxy Reference.

In addition, the following options are also available, specifically for Traefik Enterprise:

denyOnError

Optional, Default=true

The DenyOnError option forces the Traefik Proxies to return a 429 error if they cannot reach the controller to get the number of remaining requests accepted. Set to false, this option allow the request to reach the backend the case described above.

labels:
  - "traefik.http.middlewares.test-ratelimit.plugin.ratelimit.denyOnError=false"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  plugin:
    rateLimit:
      denyOnError: false
http:
  middlewares:
    test-ratelimit:
      plugin:
        rateLimit:
          denyOnError: false
[http.middlewares]
  [http.middlewares.test-ratelimit.plugin.rateLimit]
    denyOnError = false

timeout

Optional, Default=200ms

Maximum amount of time allowed for the proxies reaching the controller to get the number of remaining requests accepted. If the timeout is reached, according to the option DenyOnError, the requests are rejected or allowed (with an error log).

labels:
  - "traefik.http.middlewares.test-ratelimit.plugin.ratelimit.timeout=1s"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  plugin:
    rateLimit:
      timeout: 1s
http:
  middlewares:
    test-ratelimit:
      plugin:
        rateLimit:
          timeout: 1s
[http.middlewares]
  [http.middlewares.test-ratelimit.plugin.rateLimit]
    timeout = 1s

responseHeaders

Optional, Default=false

The ResponseHeaders option controls whether Traefik Enterprise injects the X-Rate-Limit-Remaining header in the response, which indicates how many tokens are left in the bucket (in the token bucket analogy) after the reservation for the request was made.

labels:
  - "traefik.http.middlewares.test-ratelimit.plugin.ratelimit.responseHeaders=true"
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: test-ratelimit
spec:
  plugin:
    rateLimit:
      responseHeaders: true
http:
  middlewares:
    test-ratelimit:
      plugin:
        rateLimit:
          responseHeaders: true
[http.middlewares]
  [http.middlewares.test-ratelimit.plugin.rateLimit]
    responseHeaders = true

Migrating from Traefik Proxy

If a Traefik Proxy configuration for the rate limit middleware exists, it can adapted for Traefik Enterprise simply by using plugin.rateLimit instead of rateLimit. See the examples above for the different providers.

A Traefik Proxy middleware configuration can be kept, which will run the non-distributed version of the middleware on each proxy. This means the limiting is per-proxy and not throughout the entire cluster, so be careful.