I wanted to throttle incoming requests to my Phoenix application. This is my note about how to set up a rate limiter in a Phoenix app.
As I google, there is a nice library ExRated for setting up the rake limiter. The library does all the heavy lifting and abstract them away. All I need was to implement a plug.
Get started
defmodule Mnishiguchi.MixProject do
use Mix.Project
...
def application do
[
mod: {Mnishiguchi.Application, []},
- extra_applications: [:logger, :runtime_tools]
+ extra_applications: [:logger, :runtime_tools, :ex_rated]
]
end
...
defp deps do
[
...
+ {:ex_rated, "~> 2.0"}
]
end
Implement a plug
ExRated recommends reading this blog post Rate Limiting a Phoenix API by danielberkompas.
The article is a bit old but I was able to get the sense of how it works and what I should do. Here is what my RateLimitPlug ended up with.
For those unfamiliar with Plug, Phoenix has a nice documentation about it.
defmodule MnishiguchiWeb.API.RateLimitPlug do
@moduledoc false
import Plug.Conn, only: [put_status: 2, halt: 1]
import Phoenix.Controller, only: [render: 2, put_view: 2]
require Logger
@doc """
A function plug that does the rate limiting.
## Examples
# In a controller
import MnishiguchiWeb.API.RateLimitPlug, only: [rate_limit: 2]
plug :rate_limit, max_requests: 5, interval_seconds: 10
"""
def rate_limit(conn, opts \\ []) do
case check_rate(conn, opts) do
{:ok, _count} ->
conn
error ->
Logger.info(rate_limit: error)
render_error(conn)
end
end
defp check_rate(conn, opts) do
interval_ms = Keyword.fetch!(opts, :interval_seconds) * 1000
max_requests = Keyword.fetch!(opts, :max_requests)
ExRated.check_rate(bucket_name(conn), interval_ms, max_requests)
end
# Bucket name should be a combination of IP address and request path.
defp bucket_name(conn) do
path = Enum.join(conn.path_info, "/")
ip = conn.remote_ip |> Tuple.to_list() |> Enum.join(".")
# E.g., "127.0.0.1:/api/v1/example"
"#{ip}:#{path}"
end
defp render_error(conn) do
# Using 503 because it may make attacker think that they have successfully DOSed the site.
conn
|> put_status(:service_unavailable)
|> put_view(MnishiguchiWeb.ErrorView)
|> render(:"503")
# Stop any downstream transformations.
|> halt()
end
end
I decided to respond with 503 service unavailable when I read this in a Ruby library Rack Attack's README and thought it a good idea.
I use it in a controller like below. Since my API accepts data from a sensor every second, I set my rate limit to 10 requests for 10 seconds.
defmodule MnishiguchiWeb.ExampleController do
use MnishiguchiWeb, :controller
import MnishiguchiWeb.API.RateLimitPlug, only: [rate_limit: 2]
...
plug :rate_limit, max_requests: 10, interval_seconds: 10
...
Writing test
When the rate limit is one time for one minute, first request is good but second one immediately after that would be an error. After every test case, we will erase data in ExRated gen server.
defmodule MnishiguchiWeb.API.RateLimitPlugTest do
use MnishiguchiWeb.ConnCase, async: true
alias MnishiguchiWeb.API.RateLimitPlug
@path "/"
@rate_limit_options [max_requests: 1, interval_seconds: 60]
setup do
bucket_name = "127.0.0.1:" <> @path
on_exit(fn ->
ExRated.delete_bucket(bucket_name)
end)
end
describe "rate_limit" do
test "503 Service Unavailable when beyond limit", %{conn: _conn} do
conn1 =
build_conn()
|> bypass_through(MnishiguchiWeb.Router, :api)
|> get(@path)
|> RateLimitPlug.rate_limit(@rate_limit_options)
refute conn1.halted
conn2 =
build_conn()
|> bypass_through(MnishiguchiWeb.Router, :api)
|> get(@path)
|> RateLimitPlug.rate_limit(@rate_limit_options)
assert conn2.halted
assert json_response(conn2, 503) == "Service Unavailable"
end
end
end
That's it!
Top comments (2)
@mnishiguchi Is there a way to rate limiting per user and count requests in an api with ExRated?
According to the documentation, you can have as many buckets as you need so I guess it is possible just including user id in bucket name.