Rate-Limit an API (spring MVC)

Question

I'm looking the best more efficient way to implement (or use an already setup) rate limiter that would protect all my rest api url. the protection I'm looking at is a "call per second per user limiter"

I had a look on the net and what comes out was the use of either "Redis" or Guava RateLimiter.

To be honest I have never used Redis and I'am really not familiar with it. But by looking on its docs it seems that it has a quite robust rate limiter system.

I have also had a look at Guava's RateLimiter. And it looks a bit easier to use (don't need a redis installation etc...)

So I would like some suggestion of what would be "in my case" the best solution? Is using Redis "too much"?

Have any of you already tried RateLimter? Is this a good solution? Is it scaleable?

PS: I am also open to other solutions than the 2 I aforementioned if you think there are better choices.

Thank you!

Answer 1

If you are trying to limit access to your Spring-based REST api you should use token-bucket algorithm.

There is bucket4j-spring-boot-starter project which uses bucket4j library to rate-limit access to the REST api. You can configure it via application properties file. There is an option to limit the access based on IP address or username.

If you are using Netflix Zuul you could use Spring Cloud Zuul RateLimit which uses different storage options: Consul, Redis, Spring Data and Bucket4j.

Answer 2

Guava’s RateLimiter blocks the current thread so if there’s a burst of asynchronous calls against the throttled service lots of threads will be blocked and might result exhaust of free threads.

Perhaps Spring-based library Kite meets your needs. Kite's "rate-limiting throttle" rejects requests after the principal reaches a configurable limit on the number of requests in some time period. The rate limiter uses Spring Security to determine the principal involved.

But Kite is still a single-JVM approach. If you do need a cluster-aware approach Redis is a way to go.

Answer 3

there is no hard rule, it totally depends on your specific situation. provided that "I have never used Redis", I would recommend guava RateLimiter. compare to redis, a completely new nosql system for you, guava RateLimiter is much easier to get started with. by adding a few lines of code, you are enable to distribute permits at a configurable rate. what left to do is to adapt it to fit your need, like providing rate limit on a per user basis.