Add a rate limiting rule to limit a client from overloading the server with too many requests in a specified period of time.
The implementation of this rule uses a token bucket to control the number of incoming requests.
The configuration defines a number of requests and an interval that must elapse
between requests. The allowed number of requests within the time window is
controlled by the Max Burst Requests setting, which is
visible when you click Show Advanced. For example, if the
Max Burst Requests value is
requests are allowed in the request interval — one normal request, and one burst
If a request was not received, the number of allowed requests is incremented by one at the end of each Request Interval. This continues until the number of allowed requests equals the value defined by the Max Burst Requests setting.
Using the rate limiting rule in a clustered PingAccess environment can impose stricter clock synchronization requirements for requests processed by multiple engine nodes. Alternatively, you can configure a load balancer sitting in front of a PingAccess cluster to stick the session to a specific engine, ensuring that the rate limiting rule is applied by a single PingAccess engine node.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name, up to 64
Special characters and spaces are allowed.
- From the Type list, select Rate Limiting.
Select a Policy Granularity, as defined in the following
Policy Granularity Definition
Restricts the rate of requests based on the resource requested.
Restricts the rate of requests to the identity associated with the current authentication token, such as a PingAccess cookie or an OAuth token. This is the default value.
Restricts the number of requests based on the source IP address. The IP address used to apply this policy comes from the HTTP request's IP Source configuration options, or options that override that configuration, if those options are configured.
Restricts the number of requests to all OAuth tokens obtained by a specific Client ID.Note:
If you select OAuth Client as the policy granularity for a rate limiting rule, the rule will not work if it's applied to a
- Enter, in milliseconds, a Request Interval.
Click Show Advanced Settings to configure advanced
If more than
1request should be allowed a request interval, enter the number of requests to allow in the Max Burst Requests field.Note:
PingAccess increases the number of available requests only after a request interval that serves no requests to the client. As a result, in the period following a cycle where the remaining allowed burst requests is reduced to
0, no burst requests are allowed, regardless of this setting.
If PingAccess should reply to the client with a
Retry-Afterheader instructing the client to wait for a period of time, select the Set Retry-After Header option.
To configure rejection handling, select a rejection handling method:
If you select Default, use the Rejection Handler list to select an existing rejection handler that defines whether to display an error template or redirect to a URL.If you select Basic, you can customize an error message to display as part of the default error page rendered in the end-user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information. If you select Basic, provide this information:
- In the Error Response Code field, enter the HTTP status response code to send if rule evaluation fails. The default is 403.
- In the Error Response Status Message field, enter the HTTP status response message to send if rule evaluation fails. The default is Forbidden.
- In the Error Response Template File field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the PA_HOME/conf/template/ directory.
- From the Error Response Content Type list, select the type of content for the error response. This lets the client properly display the response.
- If more than
- Click Save.