このページは、まだ日本語ではご利用いただけません。翻訳中です。
古いプラグインバージョンのドキュメントを閲覧しています。
構成
このプラグインはDB-lessモードと部分的に互換性があります。
The cluster strategy is not supported in DB-less and hybrid modes. For Kong
Gateway in DB-less or hybrid mode, the redis
strategy is the only available option to configure the plugin with a central data store.
Note: We recommend setting
namespace
to a static value in DB-less mode. Thenamespace
will be regenerated on every configuration change if not explicitly set, resetting counters to zero.
互換性のあるプロトコル
Rate Limiting Advancedプラグインは以下のプロトコルに対応しています:
grpc
, grpcs
, http
, https
パラメータ
このプラグインの設定で使用できるすべてのパラメータのリストは次のとおりです。
-
name or plugin
string requiredプラグイン名。この場合は
rate-limiting-advanced
。- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
name
です。 - Kubernetes で KongPlugin オブジェクトを使用する場合、フィールドは
plugin
です。
- Kong Admin API、Kong Konnect API、宣言型構成、または decK ファイルを使用する場合、フィールドは
-
instance_name
stringプラグインのインスタンスを識別するための任意のカスタム名 (例:
rate-limiting-advanced_my-service
。インスタンス名はKong ManagerとKonnectに表示されるので、 例えば複数のサービスで同じプラグインを複数のコンテキストで実行する場合に便利です。また、Kong Admin API経由で特定のプラグインインスタンスに アクセスするためにも使用できます。
インスタンス名は、次のコンテキスト内で一意である必要があります。
- Kong Gateway Enterpriseのワークスペース内
- Konnectのコントロールプレーン(CP)またはコントロールプレーン(CP)グループ内
- Kong Gateway (OSS)の全世界
-
service.name or service.id
stringプラグインが対象とするサービス名または ID。最上位の
/plugins
エンドポイント. からプラグインをサービスに追加する場合は、これらのパラメータのいずれかを設定してください/services/{serviceName|Id}/plugins
を使用する場合は必要ありません。 -
route.name or route.id
stringプラグインがターゲットとするルート名または ID。最上位の
/plugins
エンドポイント. を通るルートにプラグインを追加する場合は、これらのパラメータのいずれかを設定してください/routes/{routeName|Id}/plugins
を使用する場合は必要ありません。 -
consumer.name or consumer.id
stringプラグインがターゲットとするコンシューマーの名前または ID。 最上位の
/plugins
エンドポイント. からコンシューマーにプラグインを追加する場合は、これらのパラメーターのいずれかを設定してください/consumers/{consumerName|Id}/plugins
を使用する場合は必要ありません。 -
enabled
boolean default:true
このプラグインが適用されるかどうか。
-
config
record required-
identifier
string required default:consumer
Must be one of:ip
,credential
,consumer
,service
,header
,path
The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be
ip
,credential
,consumer
,service
,header
, orpath
.
-
window_size
array of typenumber
requiredOne or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.
-
window_type
string default:sliding
Must be one of:fixed
,sliding
Sets the time window type to either
sliding
(default) orfixed
. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window’s counters. For more information refer to the Enterprise Rate Limiting Library Overview.
-
limit
array of typenumber
requiredOne or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.
-
sync_rate
numberHow often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).
-
namespace
string requiredThe rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. This value should be unique between every instance of a plugin in most configurations.
If you use the same
namespace
value for multiple instances of the plugin, the rate limit will be shared between all instances. For example, if you setnamespace: helloworld
when adding the rate limiting plugin toservice-a
and use the same namespace onservice-b
, a request to either service will increment the counter for the caller. This allows you to share rate limits between services.Important: If managing Kong Gateway with declarative configuration or running Kong Gateway in DB-less mode, set the
namespace
explicitly in your declarative configuration.
If not set, you will run into the following issues:- In DB-less mode, this field will be regenerated automatically on every configuration change.
- If applying declarative configuration with decK, decK will automatically fail the update and require a
namespace
value.
-
strategy
string required default:local
Must be one of:cluster
,redis
,local
The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are:
-
local
: Counters are stored locally in-memory on the node (same effect as settingsync_rate
to-1
). -
cluster
: Counters are stored in the Kong datastore and shared across the nodes. -
redis
: Counters are stored on a Redis server and shared across the nodes.
In DB-less, hybrid mode, and Konnect, the
cluster
config strategy is not supported.From
3.0.0.0
onwards, Kong disallows the plugin enablement if the strategy iscluster
andsync_rate
is-1
with DB-less or hybrid mode. From3.2.0.0
onward, please use a different strategy or setsync_rate
to-1
. For details on which strategy should be used, refer to the implementation considerations. -
-
dictionary_name
string required default:kong_rate_limiting_counters
The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is
config.strategy
iscluster
orredis
andconfig.sync_rate
isn’t-1
), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.
-
hide_client_headers
boolean default:false
Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters as described in the paragraph Headers sent to the client. Available options:
true
orfalse
.
-
retry_after_jitter_max
number default:0
The upper bound of a jitter (random delay) in seconds to be added to the
Retry-After
header of denied requests (status =429
) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is0
; in this case, theRetry-After
header is equal to theRateLimit-Reset
header.
-
header_name
stringHeader name to use as the rate limit key when
config.identifier
is configured with the valueheader
. Ignored whenconfig.identifier
is notheader
.
-
path
string starts_with:/
Request path to use as the rate limit key when
config.identifier
is configured with the valuepath
. Ignored whenconfig.identifier
has any other value.
-
redis
record required-
host
stringHost to use for Redis connection when the
redis
strategy is defined. This parameter accepts a hostname or an IP address as a value.
-
port
integer between:0
65535
Specifies the Redis server port when using the
redis
strategy. Must be a value between 0 and 65535. Default: 6379.
-
timeout
integer default:2000
between:0
2147483646
Connection timeout (in milliseconds) to use for Redis connection when the
redis
strategy is defined. This field is deprecated and replaced withredis.connect_timeout
,redis.send_timeout
, andredis.read_timeout
. Theredis.timeout
field will continue to work in a backwards compatible way, but it is recommended to use the replacement fields. If set to something other than the default, a deprecation warning will be logged in the log file, stating the field’s deprecation and planned removal in v3.x.x.
-
connect_timeout
integer between:0
2147483646
Connection timeout to use for Redis connection when the
redis
strategy is defined.
-
send_timeout
integer between:0
2147483646
Send timeout to use for Redis connection when the
redis
strategy is defined.
-
read_timeout
integer between:0
2147483646
Read timeout to use for Redis connection when the
redis
strategy is defined.
-
username
string referenceableUsername to use for Redis connection when the
redis
strategy is defined and ACL authentication is desired. If undefined, ACL authentication will not be performed.This requires Redis v6.0.0+. The username cannot be set to
default
.
-
password
string referenceable encryptedPassword to use for Redis connection when the
redis
strategy is defined. If undefined, no AUTH commands are sent to Redis.
-
sentinel_username
string referenceableSentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication will not be performed. This requires Redis v6.2.0+.
-
sentinel_password
string referenceable encryptedSentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
-
database
integer default:0
Database to use for Redis connection when the
redis
strategy is defined.
-
keepalive_pool_size
integer default:30
between:1
2147483646
The size limit for every cosocket connection pool associated with every remote server, per worker process. If no
keepalive_pool_size
is specified and nokeepalive_backlog
is specified, no pool is created. If nokeepalive_pool_size
is specified andkeepalive_backlog
is specified, then the pool uses the default value30
.
-
keepalive_backlog
integer between:0
2147483646
If specified, limits the total number of opened connections for a pool. If the connection pool is full, all connection queues beyond the maximum limit go into the backlog queue. Once the backlog queue is full, subsequent connect operations will fail and return
nil
. Queued connect operations resume once the number of connections in the pool is less thankeepalive_pool_size
. Note that queued connect operations are subject to set timeouts.
-
sentinel_master
stringSentinel master to use for Redis connections when the
redis
strategy is defined. Defining this value implies using Redis Sentinel.
-
sentinel_role
string Must be one of:master
,slave
,any
Sentinel role to use for Redis connections when the
redis
strategy is defined. Defining this value implies using Redis Sentinel. Available options:master
,slave
,any
.
-
sentinel_addresses
array of typestring
len_min:1
Sentinel addresses to use for Redis connections when the
redis
strategy is defined. Defining this value implies using Redis Sentinel. Each string element must consist of a hostname (or IP address) and port. The minimum length of the array is 1 element.
-
cluster_addresses
array of typestring
len_min:1
Cluster addresses to use for Redis connections when the
redis
strategy is defined. Defining this value implies using Redis cluster. Each string element must consist of a hostname (or IP address) and port. The minimum length of the array is 1 element.
-
ssl
boolean default:false
If set to true, then uses SSL to connect to Redis.
-
ssl_verify
boolean default:false
If set to true, then verifies the validity of the server SSL certificate. Note that you need to configure the lua_ssl_trusted_certificate to specify the CA (or server) certificate used by your redis server. You may also need to configure lua_ssl_verify_depth accordingly.
-
server_name
stringSpecifies the server name for the new TLS extension Server Name Indication (SNI) when connecting over SSL.
-
-
enforce_consumer_groups
boolean default:false
Set to
true
to enableconsumer_groups
, which allows the settings from one of the allowed consumer groups to override the given plugin configuration.
-
consumer_groups
array of typestring
List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if
enforce_consumer_groups
is set totrue
. Flippingenforce_consumer_groups
fromtrue
tofalse
disables the group override, but does not clear the list of consumer groups. You can then flipenforce_consumer_groups
totrue
to re-enforce the groups.
-
disable_penalty
boolean default:false
If set to
true
, this doesn’t count denied requests (status =429
). If set tofalse
, all requests, including denied ones, are counted. This parameter only affects thesliding
window_type.
-
error_code
number default:429
Set a custom error code to return when the rate limit is exceeded.
-
error_message
string default:API rate limit exceeded
Set a custom error message to return when the rate limit is exceeded.
-