Over a million developers have joined DZone.

HTTP request throttling/rate limiting in Zato

DZone's Guide to

HTTP request throttling/rate limiting in Zato

· Integration Zone ·
Free Resource

WSO2 is the only open source vendor to be named a leader in The Forrester Wave™: API Management Solutions, Q4 2018 Report. Download the report now or try out our product for free.

Imagine, or recall, a scenario. You integrate three applications, two client HTTP ones and the third is a backend one (no matter the technology).

All is well except client1 tends to send requests in bursts for no good reason and its developers just cannot tame it.

The backend app can't deal with it, they prefer a steady inflow of messages, and you're tasked with containing the issue.

In that situation you can take advantage of the fact that Zato uses an embedded instance of HAProxy as its load-balancer through which HTTP apps connect so you can fire up the GUI in config's source code view and add these lines to 'frontend front_http_plain'

# At most 10 concurrent connections from a client
acl too_fast fe_sess_rate ge 10

# Matches any path beginning with a given prefix
acl bursts_inclined path_beg -i /client1

# Effectively working as a delay mechanism for clients that are too fast
tcp-request inspect-delay 1000ms

# Fast-path - accept connection if it's not this troublesome client
tcp-request content accept unless bursts_inclined too_fast

# The very fast client gets here meaning they have to wait full inspect-delay
tcp-request content accept if WAIT_END

so the whole of if reads now:

frontend front_http_plain

    mode http
    default_backend bck_http_plain
    acl too_fast fe_sess_rate ge 10
    acl bursts_inclined path_beg -i /client1

    tcp-request inspect-delay 1000ms
    tcp-request content accept unless bursts_inclined too_fast
    tcp-request content accept if WAIT_END

    option httplog # ZATO frontend front_http_plain:option log-http-requests
    bind # ZATO frontend front_http_plain:bind
    maxconn 200 # ZATO frontend front_http_plain:maxconn

    monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri

The GUI can be now used to validate and save the config:


There's a couple of assumptions

  • Instead of HAProxy 1.4, you use 1.5 (or later, but this is the latest version as of the time of this writing)
  • Each client accesses URLs beginning with a client-specific prefix - but this is a good idea anyway

IAM is now more than a security project. It’s an enabler for an integration agile enterprise. If you’re currently evaluating an identity solution or exploring IAM, join this webinar.


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}