PingAccess

Adding rate limiting rules

Add a rate limiting rule to prevent a client from overloading the server with too many requests in a specified period of time.

About this task

This rule uses a token bucket to control the number of incoming requests.

The configuration defines a number of requests and an interval that must elapse between requests. The allowed number of requests within the time window is controlled by the Max Burst Requests setting, which is visible when you click Show Advanced. For example, if the Max Burst Requests value is 1, two requests are allowed in the request interval, one normal request and one burst request.

If a request wasn’t received, the number of allowed requests is incremented by one at the end of each Request Interval. This continues until the number of allowed requests equals the Max Burst Requests value.

Using the rate limiting rule in a clustered PingAccess environment can impose stricter clock synchronization requirements for requests processed by multiple engine nodes. Alternatively, you can configure a load balancer sitting in front of a PingAccess cluster to stick the session to a specific engine, ensuring that the rate limiting rule is applied by a single PingAccess engine node. For more information, see Configuring load balancing strategies.

Steps

  1. Click Access and then go to Rules → Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. In the Type list, select Rate Limiting.

  5. Select a Policy Granularity, as defined in the following table.

    Policy Granularity Definition

    Resource

    Restricts the rate of requests based on the resource requested.

    Identity

    Restricts the rate of requests to the identity associated with the current authentication token, such as a PingAccess cookie or an OAuth token. This is the default value.

    IP

    Restricts the number of requests based on the source Internet Protocol (IP) address. The IP address used to apply this policy comes from the HTTP request’s IP source configuration options, or any options that override that configuration, if those options are configured.

    OAuth Client

    Restricts the number of requests to all OAuth tokens obtained by a specific Client ID.

    If you select OAuth Client as the policy granularity for a rate limiting rule, the rule will not work if it’s applied to a web application.

  6. Define, in milliseconds, a Request Interval.

  7. Optional: Click Show Advanced Settings to configure advanced options:

    Advanced Setting Description

    Max Burst Requests

    If more than one request should be allowed in a request interval, enter the number of requests to allow in the Max Burst Requests field.

    PingAccess increases the number of available requests only after a request interval that serves no requests to the client. As a result, in the period following a cycle where the remaining allowed burst requests is reduced to 0, no burst requests are allowed, regardless of this setting.

    Set Retry-After Header

    If PingAccess should reply to the client with a Retry-After header instructing the client to wait for a period of time, select the Set Retry-After Header check box.

  8. Click Save.