feat: cluster key rate limit enhancement #1036

hanxiantao · 2024-06-13T01:08:26Z

Ⅰ. Describe what this PR did

cluster key rate limit enhancement
1）add limit_type: limit_by_consumer、limit_by_cookie、limit_by_per_header、limit_by_per_param、limit_by_per_consumer、limit_by_per_cookie
2）support batch configuration of rate limiting rules

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

1）、limit_by_param和limit_by_per_param

wasmplugin.yam：

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    rule_name: default_rule
    rule_items:
      - limit_by_param: apikey
        limit_keys:
          - key: 9a342114-ba8a-11ec-b1bf-00163e1250b5
            query_per_minute: 10
          - key: a6a6d7f2-ba8a-11ec-bec2-00163e1250b5
            query_per_hour: 100
      - limit_by_per_param: apikey
        limit_keys:
          # 正则表达式，匹配以a开头的所有字符串，每个apikey对应的请求10qds
          - key: "regexp:^a.*"
            query_per_second: 10
          # 正则表达式，匹配以b开头的所有字符串，每个apikey对应的请求100qd
          - key: "regexp:^b.*"
            query_per_minute: 100
          # 兜底用，匹配所有请求，每个apikey对应的请求1000qdh
          - key: "*"
            query_per_hour: 1000
    redis:
      service_name: redis.static
    show_limit_quota_header: true
  url: oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:0.0.68
  imagePullSecret: aliyun

1）根据第一个apikey进行限流

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5' \
-H 'Host: www.test.com'

响应头中x-ratelimit-limit为10（限制的总请求数），x-ratelimit-remaining为7（剩余还可以发送的请求数）

2）根据第二个apikey限流

请求三次：

curl -kvv -X GET 'http://localhost:8082/test?apikey=a6a6d7f2-ba8a-11ec-bec2-00163e1250b5' \
-H 'Host: www.test.com'

Redis中的数据：

3）正则表达式以b开头的字符串

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test?apikey=b123456' \
-H 'Host: www.test.com'

响应头中x-ratelimit-limit为100（限制的总请求数），x-ratelimit-remaining为97（剩余还可以发送的请求数）s

4）*

请求四次：

curl -kvv -X GET 'http://localhost:8082/test?apikey=123456' \
-H 'Host: www.test.com'

Redis中的数据：

2）、limit_by_header和limit_by_per_header

wasmplugin.yam：

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    rule_name: default_rule
    rule_items:
      - limit_by_header: x-ca-key
        limit_keys:
          - key: 102234
            query_per_minute: 10
          - key: 308239
            query_per_hour: 10
      - limit_by_per_header: x-ca-key
        limit_keys:
          # 正则表达式，匹配以a开头的所有字符串，每个apikey对应的请求10qds
          - key: "regexp:^a.*"
            query_per_second: 10
          # 正则表达式，匹配以b开头的所有字符串，每个apikey对应的请求100qd
          - key: "regexp:^b.*"
            query_per_minute: 100
          # 兜底用，匹配所有请求，每个apikey对应的请求1000qdh
          - key: "*"
            query_per_hour: 1000            
    redis:
      service_name: redis.static
    show_limit_quota_header: true  
  url: oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:0.0.68
  imagePullSecret: aliyun

1）根据第一个请求头进行限流

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'x-ca-key: 102234' -H 'Host: www.test.com'

响应头中x-ratelimit-limit为10（限制的总请求数），x-ratelimit-remaining为7（剩余还可以发送的请求数）

2）根据第二个请求头进行限流

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'x-ca-key: 308239' -H 'Host: www.test.com'

Redis中的数据：

3）正则表达式以b开头的字符串

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'x-ca-key: b123456' -H 'Host: www.test.com'

响应头中x-ratelimit-limit为100（限制的总请求数），x-ratelimit-remaining为97（剩余还可以发送的请求数）s

4）*

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'x-ca-key: 123456' -H 'Host: www.test.com'

Redis中的数据：

3）、limit_by_cookie和limit_by_per_cookie

wasmplugin.yam：

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    rule_name: default_rule
    rule_items:
      - limit_by_cookie: key1
        limit_keys:
          - key: value1
            query_per_minute: 10
          - key: value2
            query_per_hour: 100
      - limit_by_per_cookie: key1
        limit_keys:
          # 正则表达式，匹配以a开头的所有字符串，每个cookie中的value对应的请求10qds
          - key: "regexp:^a.*"
            query_per_second: 10
          # 正则表达式，匹配以b开头的所有字符串，每个cookie中的value对应的请求100qd
          - key: "regexp:^b.*"
            query_per_minute: 100
          # 兜底用，匹配所有请求，每个cookie中的value对应的请求1000qdh
          - key: "*"
            query_per_hour: 1000 
    rejected_code: 200
    rejected_msg: '{"code":-1,"msg":"Too many requests"}'
    redis:
      service_name: redis.static
    show_limit_quota_header: true  
  url: oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:0.0.68
  imagePullSecret: aliyun

1）根据第一个cookie进行限流

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'Host: www.test.com' -H 'Cookie: test=www.test.com;key1=value1'

响应头中x-ratelimit-limit为10（限制的总请求数），x-ratelimit-remaining为7（剩余还可以发送的请求数）

触发限流后：

2）根据第二个cookie限流

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'Host: www.test.com' -H 'Cookie: test=www.test.com;key2=value1;key1=value2'

Redis中的数据：

3）正则表达式以b开头的字符串

一分钟内请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'Host: www.test.com' -H 'Cookie: test=www.test.com;key2=value1;key1=bbbb'

响应头中x-ratelimit-limit为100（限制的总请求数），x-ratelimit-remaining为97（剩余还可以发送的请求数）

4）*

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' -H 'Host: www.test.com' -H 'Cookie: test=www.test.com;key2=value1;key1=helloworld'

Redis中的数据：

4）、limit_by_per_ip

wasmplugin.yam：

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    rule_name: default_rule
    rule_items:
      - limit_by_per_ip: from-header-x-forwarded-for
        limit_keys:
          # 精确ip
          - key: 1.1.1.1
            query_per_day: 10
          # ip段，符合这个ip段的ip，每个ip 100qpd
          - key: 1.1.1.0/24
            query_per_day: 100
          # 兜底用，即默认每个ip 1000qpd
          - key: 0.0.0.0/0
            query_per_day: 1000
    redis:
      service_name: redis.static
    show_limit_quota_header: true    
  url: oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:0.0.68
  imagePullSecret: aliyun

1）1.1.1.1

连续请求三次：

curl -kvv -X GET 'http://localhost:8082/test' \
-H 'Host: www.test.com' \
-H 'x-forwarded-for: 1.1.1.1,2.1.1.1'

响应头中x-ratelimit-limit为10（限制的总请求数），x-ratelimit-remaining为7（剩余还可以发送的请求数）

2）1.1.1.0/24

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' \
-H 'Host: www.test.com' \
-H 'x-forwarded-for: 1.1.1.2,2.1.1.1'

Redis中的数据：

3）0.0.0.0/0

请求三次：

curl -kvv -X GET 'http://localhost:8082/test' \
-H 'Host: www.test.com' \
-H 'x-forwarded-for: 2.1.1.2,2.1.1.1'

Redis中的数据：

4）、limit_by_consumer和limit_by_per_consumer
Redis中key示例：

Ⅴ. Special notes for reviews

johnlanni · 2024-06-13T01:59:59Z

plugins/wasm-go/extensions/cluster-key-rate-limit/README.md

@@ -51,6 +52,12 @@ limit_keys:
  query_per_second: 10
 - key: a6a6d7f2-ba8a-11ec-bec2-00163e1250b5
  query_per_minute: 100
+  # 正则表达式，以b开头的所有字符串


这里会有歧义，是匹配到的所有统一限制1000，还是匹配到的每一个分别限制1000。

所以我建议增加新的配置项: limit_by_per_header, limit_by_per_param

用来表示匹配到的每一个分别限制这一含义。

这里会有歧义，是匹配到的所有统一限制1000，还是匹配到的每一个分别限制1000。

所以我建议增加新的配置项: limit_by_per_header, limit_by_per_param

用来表示匹配到的每一个分别限制这一含义。

好的，那应该就是limit_by_header和limit_by_param只支持精确匹配的，limit_by_per_header和limit_by_per_param只支持正则匹配和*的方式

可以的

已调整，目前支持以下几种方式：
limit_by_header、limit_by_param、limit_by_consumer、limit_by_cookie（匹配cookie中的key=value）支持精准匹配
limit_by_per_ip 支持按照ip和ip段配置
limit_by_peer_header、limit_by_peer_param、limit_by_peer_consumer、limit_by_per_cookie 支持正则匹配和*

johnlanni · 2024-06-14T06:21:22Z

plugins/wasm-go/extensions/cluster-key-rate-limit/README.md

-| redis                   | object          | 是                                                           | -                 | redis相关配置                                                |
+| 配置项                  | 类型   | 必填 | 默认值 | 说明                                                                                                                          |
+| ----------------------- | ------ | ---- | ------ |-----------------------------------------------------------------------------------------------------------------------------|
+| rule_name               | string | 是 | - | 限流规则名称，根据限流类型+限流规则名称+限流key对应的实际值来拼装redis key                                                                                |


支持下配置多个rule可以同时生效吧，现有的配置作为rules数组里的配置项

支持下配置多个rule可以同时生效吧，现有的配置作为rules数组里的配置项

将limit_by_*（共9种）和limit_keys调整到了rule_items中，拼接redis的key的方式调整为限流规则名称+限流类型+限流key名称+限流key对应的实际值，这样只需要外部配置一个rule_name即可

johnlanni

LGTM

hanxiantao added 7 commits May 26, 2024 09:05

feat: cluster rate limit by client ip

0f828be

feat: cluster key rate limit

6c07b58

Merge branch 'alibaba:main' into key-cluster-rate-limit

55b5c04

Merge branch 'main' into key-cluster-rate-limit

d91c337

simplify the redis configuration method

a335fc6

Merge branch 'alibaba:main' into key-cluster-rate-limit

484ad2d

cluster key rate limit enhancement

8ae7a1f

hanxiantao requested review from johnlanni, WeixinX and CH3CHO as code owners June 13, 2024 01:08

Update README.md

92670ca

johnlanni requested changes Jun 13, 2024

View reviewed changes

hanxiantao added 2 commits June 13, 2024 23:06

cluster key rate limit enhancement

66da298

Update README.md

fa0a76d

hanxiantao requested a review from johnlanni June 14, 2024 00:06

fix limit_by_per_consumer

cd8843a

johnlanni requested changes Jun 14, 2024

View reviewed changes

johnlanni and others added 3 commits June 14, 2024 14:23

Update README.md

f1e785d

support batch configuration of rate limiting rules

a485bf6

Update README.md

0df978a

hanxiantao requested a review from johnlanni June 15, 2024 08:13

hanxiantao added 3 commits June 15, 2024 21:17

Update README.md

75a2263

adjust the rules for construct redis keys

78e73f8

modify the comment

7a9d6e3

hanxiantao force-pushed the key-cluster-rate-limit branch from e3aae23 to 7a9d6e3 Compare June 15, 2024 15:24

Update README.md

e9d2c29

johnlanni approved these changes Jun 17, 2024

View reviewed changes

johnlanni merged commit 634de3f into alibaba:main Jun 17, 2024
6 checks passed

hanxiantao deleted the key-cluster-rate-limit branch June 17, 2024 07:41

hanxiantao mentioned this pull request Jul 17, 2024

Please consider to support tailor header value for key-rate-limit and cluster-key-rate-limit. #1128

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: cluster key rate limit enhancement #1036

feat: cluster key rate limit enhancement #1036

hanxiantao commented Jun 13, 2024 •

edited

Loading

johnlanni Jun 13, 2024

hanxiantao Jun 13, 2024

johnlanni Jun 13, 2024

hanxiantao Jun 14, 2024

johnlanni Jun 14, 2024

hanxiantao Jun 15, 2024 •

edited

Loading

johnlanni left a comment

feat: cluster key rate limit enhancement #1036

feat: cluster key rate limit enhancement #1036

Conversation

hanxiantao commented Jun 13, 2024 • edited Loading

Ⅰ. Describe what this PR did

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

johnlanni Jun 13, 2024

Choose a reason for hiding this comment

hanxiantao Jun 13, 2024

Choose a reason for hiding this comment

johnlanni Jun 13, 2024

Choose a reason for hiding this comment

hanxiantao Jun 14, 2024

Choose a reason for hiding this comment

johnlanni Jun 14, 2024

Choose a reason for hiding this comment

hanxiantao Jun 15, 2024 • edited Loading

Choose a reason for hiding this comment

johnlanni left a comment

Choose a reason for hiding this comment

hanxiantao commented Jun 13, 2024 •

edited

Loading

hanxiantao Jun 15, 2024 •

edited

Loading