2022-04-15 13:44:08 +00:00
---
title: "Traefik RateLimit Documentation"
description: "Traefik Proxy's HTTP RateLimit middleware ensures Services receive fair amounts of requests. Read the technical documentation."
---
2019-04-08 15:14:08 +00:00
# RateLimit
2019-02-26 13:50:07 +00:00
2019-08-26 10:20:06 +00:00
To Control the Number of Requests Going to a Service
2019-02-26 13:50:07 +00:00
{: .subtitle }
2021-02-11 13:34:04 +00:00
The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.
2019-02-26 13:50:07 +00:00
2023-03-14 13:58:06 +00:00
It is based on a [token bucket ](https://en.wikipedia.org/wiki/Token_bucket ) implementation. In this analogy, the [average ](#average ) parameter (defined below) is the rate at which the bucket refills, and the [burst ](#burst ) is the size (volume) of the bucket.
2019-02-26 13:50:07 +00:00
## Configuration Example
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2019-08-26 10:20:06 +00:00
# Here, an average of 100 requests per second is allowed.
2024-02-12 08:44:11 +00:00
# In addition, a burst of 200 requests is allowed.
2019-04-08 15:14:08 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
2024-02-12 08:44:11 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
2019-04-08 15:14:08 +00:00
```
```yaml tab="Kubernetes"
2019-08-26 10:20:06 +00:00
# Here, an average of 100 requests per second is allowed.
2024-02-12 08:44:11 +00:00
# In addition, a burst of 200 requests is allowed.
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-04-08 15:14:08 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
2020-01-08 10:44:04 +00:00
average: 100
2024-02-12 08:44:11 +00:00
burst: 200
2019-04-08 15:14:08 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
# Here, an average of 100 requests per second is allowed.
2024-02-12 08:44:11 +00:00
# In addition, a burst of 200 requests is allowed.
2019-10-15 15:34:08 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
```
2019-07-22 07:58:04 +00:00
```yaml tab="File (YAML)"
2019-08-26 10:20:06 +00:00
# Here, an average of 100 requests per second is allowed.
2024-02-12 08:44:11 +00:00
# In addition, a burst of 200 requests is allowed.
2019-07-22 07:58:04 +00:00
http:
middlewares:
test-ratelimit:
rateLimit:
2019-08-26 10:20:06 +00:00
average: 100
2024-02-12 08:44:11 +00:00
burst: 200
2019-07-22 07:58:04 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# Here, an average of 100 requests per second is allowed.
2024-02-12 08:44:11 +00:00
# In addition, a burst of 200 requests is allowed.
2021-06-18 22:08:08 +00:00
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
2024-02-12 08:44:11 +00:00
burst = 200
2021-06-18 22:08:08 +00:00
```
2019-02-26 13:50:07 +00:00
## Configuration Options
2019-08-26 10:20:06 +00:00
### `average`
2021-02-11 13:34:04 +00:00
`average` is the maximum rate, by default in requests per second, allowed from a given source.
2020-01-08 10:44:04 +00:00
It defaults to `0` , which means no rate limiting.
The rate is actually defined by dividing `average` by `period` .
So for a rate below 1 req/s, one needs to define a `period` larger than a second.
2019-08-26 10:20:06 +00:00
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2020-01-08 10:44:04 +00:00
# 100 reqs/s
2019-08-26 10:20:06 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
2019-08-26 10:20:06 +00:00
```
```yaml tab="Kubernetes"
2020-01-08 10:44:04 +00:00
# 100 reqs/s
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-08-26 10:20:06 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
2020-01-08 10:44:04 +00:00
average: 100
2019-08-26 10:20:06 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
2020-01-08 10:44:04 +00:00
# 100 reqs/s
2019-10-15 15:34:08 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
```
2019-08-26 10:20:06 +00:00
```yaml tab="File (YAML)"
2020-01-08 10:44:04 +00:00
# 100 reqs/s
2019-08-26 10:20:06 +00:00
http:
middlewares:
test-ratelimit:
rateLimit:
average: 100
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# 100 reqs/s
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 100
```
2020-01-08 10:44:04 +00:00
### `period`
`period` , in combination with `average` , defines the actual maximum rate, such as:
```go
r = average / period
```
It defaults to `1` second.
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2020-01-08 10:44:04 +00:00
# 6 reqs/minute
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
```
```yaml tab="Kubernetes"
# 6 reqs/minute
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2020-01-08 10:44:04 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
period: 1m
average: 6
```
```yaml tab="Consul Catalog"
# 6 reqs/minute
- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
```
```yaml tab="File (YAML)"
# 6 reqs/minute
http:
middlewares:
test-ratelimit:
rateLimit:
average: 6
period: 1m
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
# 6 reqs/minute
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
average = 6
period = "1m"
```
2019-08-26 10:20:06 +00:00
### `burst`
2020-01-08 10:44:04 +00:00
`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
It defaults to `1` .
2019-08-26 10:20:06 +00:00
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2019-08-26 10:20:06 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
2019-08-26 10:20:06 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-08-26 10:20:06 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
2020-01-08 10:44:04 +00:00
burst: 100
2019-08-26 10:20:06 +00:00
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
2021-02-11 13:34:04 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
2019-10-15 15:34:08 +00:00
```
2019-08-26 10:20:06 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
burst: 100
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
burst = 100
```
2019-08-26 10:20:06 +00:00
### `sourceCriterion`
2021-02-11 13:34:04 +00:00
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
2021-10-19 12:40:06 +00:00
If several strategies are defined at the same time, an error will be raised.
2019-08-26 10:20:06 +00:00
If none are set, the default is to use the request's remote address field (as an `ipStrategy` ).
#### `sourceCriterion.ipStrategy`
2021-02-11 13:34:04 +00:00
The `ipStrategy` option defines two parameters that configures how Traefik determines the client IP: `depth` , and `excludedIPs` .
2019-08-26 10:20:06 +00:00
2023-02-09 16:34:06 +00:00
!!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For` , it cannot be found and/or relied upon."
2019-08-26 10:20:06 +00:00
##### `ipStrategy.depth`
2021-02-11 13:34:04 +00:00
The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
2019-08-26 10:20:06 +00:00
2021-02-11 13:34:04 +00:00
- If `depth` is greater than the total number of IPs in `X-Forwarded-For` , then the client IP is empty.
- `depth` is ignored if its value is less than or equal to 0.
2019-08-26 10:20:06 +00:00
2019-09-23 12:32:04 +00:00
!!! example "Example of Depth & X-Forwarded-For"
2019-08-26 10:20:06 +00:00
2021-02-11 13:34:04 +00:00
If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
2019-08-26 10:20:06 +00:00
| `X-Forwarded-For` | `depth` | clientIP |
|-----------------------------------------|---------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
| `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2019-08-26 10:20:06 +00:00
labels:
2021-02-11 13:34:04 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
2019-08-26 10:20:06 +00:00
```
2019-02-26 13:50:07 +00:00
2019-08-26 10:20:06 +00:00
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-08-26 10:20:06 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
2021-02-11 13:34:04 +00:00
depth: 2
2019-08-26 10:20:06 +00:00
```
2019-02-26 13:50:07 +00:00
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
2021-02-11 13:34:04 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
2019-08-26 10:20:06 +00:00
```
2019-02-26 13:50:07 +00:00
2019-08-26 10:20:06 +00:00
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
2021-02-11 13:34:04 +00:00
depth: 2
2019-08-26 10:20:06 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
depth = 2
```
2021-02-11 13:34:04 +00:00
##### `ipStrategy.excludedIPs`
2021-06-07 15:46:14 +00:00
!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."
2019-09-23 12:32:04 +00:00
!!! important "If `depth` is specified, `excludedIPs` is ignored."
2021-06-07 15:46:14 +00:00
`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
2019-09-23 12:32:04 +00:00
2021-06-07 15:46:14 +00:00
1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
to its own rate-limit "bucket" (cf the [leaky bucket analogy ](https://wikipedia.org/wiki/Leaky_bucket )).
In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
in order to find the actual clientIP.
!!! example "Each IP as a distinct source"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
and all contribute to the same rate-limit bucket.
!!! example "Group IPs together as same source"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|--------------|--------------|
| `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
| `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
For completeness, below are additional examples to illustrate how the matching works.
For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
and the first IP that is _not_ in the pool (if any) is returned.
!!! example "Matching for clientIP"
| X-Forwarded-For | excludedIPs | clientIP |
|--------------------------------|-----------------------|--------------|
| `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
| `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
2019-09-23 12:32:04 +00:00
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2021-02-11 13:34:04 +00:00
labels:
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2021-02-11 13:34:04 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- 127.0.0.1/32
- 192.168.1.7
```
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
ipStrategy:
excludedIPs:
- "127.0.0.1/32"
- "192.168.1.7"
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
```
2019-08-26 10:20:06 +00:00
#### `sourceCriterion.requestHeaderName`
2021-02-11 13:34:04 +00:00
Name of the header used to group incoming requests.
2019-02-26 13:50:07 +00:00
2024-05-29 08:40:05 +00:00
!!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2019-08-26 10:20:06 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
2019-08-26 10:20:06 +00:00
```
2019-02-26 13:50:07 +00:00
2019-08-26 10:20:06 +00:00
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-08-26 10:20:06 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHeaderName: username
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
2019-08-26 10:20:06 +00:00
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHeaderName: username
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHeaderName = "username"
```
2019-08-26 10:20:06 +00:00
#### `sourceCriterion.requestHost`
Whether to consider the request host as the source.
2023-05-10 13:28:05 +00:00
```yaml tab="Docker & Swarm"
2019-08-26 10:20:06 +00:00
labels:
2019-09-23 15:00:06 +00:00
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
2019-08-26 10:20:06 +00:00
```
```yaml tab="Kubernetes"
2023-03-20 14:38:08 +00:00
apiVersion: traefik.io/v1alpha1
2019-08-26 10:20:06 +00:00
kind: Middleware
metadata:
name: test-ratelimit
spec:
rateLimit:
sourceCriterion:
requestHost: true
```
2019-10-15 15:34:08 +00:00
```yaml tab="Consul Catalog"
- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
2019-08-26 10:20:06 +00:00
```
```yaml tab="File (YAML)"
http:
middlewares:
test-ratelimit:
rateLimit:
sourceCriterion:
requestHost: true
2019-09-23 15:00:06 +00:00
```
2021-06-18 22:08:08 +00:00
```toml tab="File (TOML)"
[http.middlewares]
[http.middlewares.test-ratelimit.rateLimit]
[http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
requestHost = true
```