News KrakenD CE v2.7 released with better rate-limiting and security options

Community Documentation

Recent changes

You are viewing a previous version of KrakenD Community Edition (v2.3) , go to the latest version

Rate-limiting backends

Document updated on May 2, 2021

No matter what is the amount of activity the users are generating at the router level, you might want to restrict the connections KrakenD makes to your backends. Configuration is similar to the router’s one, but it’s declared directly in the backend section instead of the endpoint.

This parameter is defined at the krakend.json configuration file as follows:

      "endpoint": "/products/{cat_id}",
      "backend": [
          "host": [""],
          "url_pattern": "/catalog/category/{cat_id}.rss",
          "encoding": "rss",
          "extra_config": {
              "qos/ratelimit/proxy": {
                  "max_rate": 0.5,
                  "capacity": 1

These are two parameters you can set:

Fields of Proxy ratelimit
* required fields
capacity  *

The capacity according to the token bucket algorithm with a bucket capacity == tokens added per second so KrakenD is able to allow some bursting on the request rates. Recommended value is capacity == max_rate.
Defaults to 1
max_rate  *

Maximum requests per second you want to accept in this backend. Use decimals for per-hour and per-minute strategies.
Example: 0.5

Comparison of max_rate vs client_max_rate

The max_rate (available both in router and proxy layers) is an absolute number where you have the exact control over how much traffic you are allowing to hit the backend or endpoint. In an eventual DDoS, the max_rate can help in a way since it won’t accept more traffic than allowed. But on the other hand a single host could abuse the system taking a big percentage of that quota.

The client_max_rate is a limit per client and it won’t help you if you just want to control the total traffic, as the total traffic supported by the backend or endpoint depends on the number of different requesting clients. A DDoS will then happily pass through, but on the other hand, you can keep any particular abuser limited to its quota.

Depending on your use case you will need to decide if you use one, the other, the two, or none of them.


Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.