Rate Limiting With Client IP in Spring Cloud Gateway
Last updated: January 8, 2024
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Distributed systems often come with complex challenges such as service-to-service communication, state management, asynchronous messaging, security, and more.
Dapr (Distributed Application Runtime) provides a set of APIs and building blocks to address these challenges, abstracting away infrastructure so we can focus on business logic.
In this tutorial, we'll focus on Dapr's pub/sub API for message brokering. Using its Spring Boot integration, we'll simplify the creation of a loosely coupled, portable, and easily testable pub/sub messaging system:
1. Introduction
In this quick tutorial, we’ll see how to limit the rate of incoming requests based on the client’s actual IP address for our Spring Cloud Gateway.
In short, we’ll set up the RequestRateLimiter filter on a route, then we’ll configure the gateway to use the IP address for limiting requests by unique clients.
2. Route Configuration
First, we need to configure Spring Cloud Gateway to rate limit a specific route. For this, we’ll use a classic token-bucket rate limiter implemented by spring-boot-starter-data-redis-reactive. In short, the rate limiter creates a bucket with an associated key that identifies itself and a fixed initial capacity of tokens that get replenished over time. Then, for each request, the rate limiter checks its related bucket and reduces a token if possible. Otherwise, it denies the incoming request.
As we’re working with distributed systems, we might want to keep track of all the incoming requests across all the instances of our application. For this reason, having a distributed cache system is convenient for storing the bucket’s information. In this case, we pre-configured a Redis instance to simulate a real-world application.
Next, we’ll configure a route with a rate limiter. We’ll listen to the /example endpoint and forward the request to http://example.org:
@Bean
public RouteLocator myRoutes(RouteLocatorBuilder builder) {
return builder.routes()
.route("requestratelimiter_route", p -> p
.path("/example")
.filters(f -> f.requestRateLimiter(r -> r.setRateLimiter(redisRateLimiter())))
.uri("http://example.org"))
.build();
}Above, we configure the route with a RequestRateLimiter by using the .setRateLimiter() method. In particular, we define the RedisRateLimiter bean through the method redisRatelimiter() to manage the state for our rate limiter:
@Bean
public RedisRateLimiter redisRateLimiter() {
return new RedisRateLimiter(1, 1, 1);
}As an illustration, we configure the rate limit with all replenishRate, burstCapacity, and requestedToken attributes set to 1. This makes it easy to call the /example endpoint multiple times and to get back the HTTP 429 response code.
3. The KeyResolver Bean
To work correctly, the rate limiter must identify each client hitting the endpoint through a key. Underneath, the key identifies the bucket the rate limiter will use to consume tokens for each request. So, we want the key to be unique for each client. In this case, we’ll use the client’s IP address to monitor their requests and limit them if they make too many requests.
So, the RequestRateLimiter we configured previously will use a KeyResolver bean that allows pluggable strategies to derive the key for limiting requests. This means we can configure how the key is extracted from each request.
4. Client’s IP Address in KeyResolver
Currently, there is no default implementation for this interface, so we must define one, keeping in mind that we want the client’s IP address:
@Component
public class SimpleClientAddressResolver implements KeyResolver {
@Override
public Mono<String> resolve(ServerWebExchange exchange) {
return Optional.ofNullable(exchange.getRequest().getRemoteAddress())
.map(InetSocketAddress::getAddress)
.map(InetAddress::getHostAddress)
.map(Mono::just)
.orElse(Mono.empty());
}
}We’re using the ServerWebExchange object to extract the client’s IP address. If we can’t get the IP address, we’ll return Mono.empty() to signal this to the rate limiter and deny the request by default. However, we can configure the rate limiter to allow requests when the KeyResolver returns an empty key by setting .setDenyEmptyKey() to false. Moreover, we can also have a different KeyResolver for each different route by providing a custom KeyResolver implementation to the .setKeyResolver() method:
builder.routes()
.route("ipaddress_route", p -> p
.path("/example2")
.filters(f -> f.requestRateLimiter(r -> r.setRateLimiter(redisRateLimiter())
.setDenyEmptyKey(false)
.setKeyResolver(new SimpleClientAddressResolver())))
.uri("http://example.org"))
.build();4.1. Originating IP Address When Behind a Proxy
The previously defined implementation works if Spring Cloud Gateway listens directly to the client’s request. However, if we deploy the application behind a proxy, all the host addresses will be the same. Therefore, the rate limiter will see all requests as coming from the same client and limit the number of requests it can handle.
To solve this problem, we rely on the X-Forwarded-For header to identify the originating IP address of a client connecting through a proxy server. For example, let’s configure the KeyResolver so it can read the originating IP address:
@Primary
@Component
public class ProxyClientAddressResolver implements KeyResolver {
@Override
public Mono<String> resolve(ServerWebExchange exchange) {
XForwardedRemoteAddressResolver resolver = XForwardedRemoteAddressResolver.maxTrustedIndex(1);
InetSocketAddress inetSocketAddress = resolver.resolve(exchange);
return Mono.just(inetSocketAddress.getAddress().getHostAddress());
}
}We are passing the value 1 to maxTrustedIndex(), assuming we only have one proxy server. Otherwise, the value must be set accordingly. Further, we annotate this KeyResolver with @Primary to give it precedence over the previous implementation.
5. Conclusion
In this article, we configured an API rate limiter based on the client’s IP address. First, we configured a route with a token-bucket rate limiter. Then, we explored how the KeyResolver identifies the bucket used for each request. Finally, we explored strategies for assigning the client’s IP address through the KeyResolver when hitting our API directly or when it is deployed behind a proxy.
