Over a million developers have joined DZone.

HTTP request throttling/rate limiting in Zato

Learn how API management supports better integration in Achieving Enterprise Agility with Microservices and API Management, brought to you in partnership with 3scale

Imagine, or recall, a scenario. You integrate three applications, two client HTTP ones and the third is a backend one (no matter the technology).

All is well except client1 tends to send requests in bursts for no good reason and its developers just cannot tame it.

The backend app can't deal with it, they prefer a steady inflow of messages, and you're tasked with containing the issue.

In that situation you can take advantage of the fact that Zato uses an embedded instance of HAProxy as its load-balancer through which HTTP apps connect so you can fire up the GUI in config's source code view and add these lines to 'frontend front_http_plain'

# At most 10 concurrent connections from a client
acl too_fast fe_sess_rate ge 10

# Matches any path beginning with a given prefix
acl bursts_inclined path_beg -i /client1

# Effectively working as a delay mechanism for clients that are too fast
tcp-request inspect-delay 1000ms

# Fast-path - accept connection if it's not this troublesome client
tcp-request content accept unless bursts_inclined too_fast

# The very fast client gets here meaning they have to wait full inspect-delay
tcp-request content accept if WAIT_END

so the whole of if reads now:

frontend front_http_plain

    mode http
    default_backend bck_http_plain
    acl too_fast fe_sess_rate ge 10
    acl bursts_inclined path_beg -i /client1

    tcp-request inspect-delay 1000ms
    tcp-request content accept unless bursts_inclined too_fast
    tcp-request content accept if WAIT_END

    option httplog # ZATO frontend front_http_plain:option log-http-requests
    bind # ZATO frontend front_http_plain:bind
    maxconn 200 # ZATO frontend front_http_plain:maxconn

    monitor-uri /zato-lb-alive # ZATO frontend front_http_plain:monitor-uri

The GUI can be now used to validate and save the config:


There's a couple of assumptions

  • Instead of HAProxy 1.4, you use 1.5 (or later, but this is the latest version as of the time of this writing)
  • Each client accesses URLs beginning with a client-specific prefix - but this is a good idea anyway

Unleash the power of your APIs with future-proof API management - Create your account and start your free trial today, brought to you in partnership with 3scale.


The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}