Introduction
AspNetCoreRateLimit is an ASP.NET Core rate limiting solution designed to control the rate at which clients can make requests to a Web API or MVC application based on IP address or client ID. The AspNetCoreRateLimit package includes an IpRateLimitMiddleware and a ClientRateLimitMiddleware. For each middleware, you can set multiple limits for different scenarios, such as allowing an IP or client to make a maximum number of calls per second, 15 minutes, etc. You can define these limits to apply to all requests made to the API, or you can scope the limits to each API URL or HTTP verb and path.
URL: https://github.com/stefanprodan/AspNetCoreRateLimit
Features
IP-based Rate Limiting
- Setup and Configuration
- Defining Rate Limit Rules
- Behavior
- Updating Rate Limits at Runtime
Client ID-based Rate Limiting
- Setup and Configuration
- Defining Rate Limit Rules
- Behavior
- Updating Rate Limits at Runtime
Advanced Configuration
- Custom Quota Exceeded Response
- IP / ClientId Resolution Contributors
- Using Redis as Distributed Counter Store
Usage (IP-based Rate Limiting)
NuGet Installation:
Install-Package AspNetCoreRateLimit
Install-Package AspNetCoreRateLimit.Redis
Startup.cs Code:
public void ConfigureServices(IServiceCollection services)
{
services.AddOptions();
services.AddMemoryCache();
services.Configure<IpRateLimitOptions>(Configuration.GetSection("IpRateLimiting"));
services.Configure<IpRateLimitPolicies>(Configuration.GetSection("IpRateLimitPolicies"));
services.AddInMemoryRateLimiting();
services.AddMvc();
services.AddSingleton<IRateLimitConfiguration, RateLimitConfiguration>();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseIpRateLimiting();
app.UseMvc();
}
appsettings.json:
"IpRateLimiting": {
"EnableEndpointRateLimiting": false,
"StackBlockedRequests": false,
"RealIpHeader": "X-Real-IP",
"ClientIdHeader": "X-ClientId",
"HttpStatusCode": 429,
"IpWhitelist": [ "127.0.0.1", "::1/10", "192.168.0.0/24" ],
"EndpointWhitelist": [ "get:/api/license", "*:/api/status" ],
"ClientWhitelist": [ "dev-id-1", "dev-id-2" ],
"GeneralRules": [
{
"Endpoint": "*",
"Period": "1s",
"Limit": 2
},
{
"Endpoint": "*",
"Period": "15m",
"Limit": 100
},
{
"Endpoint": "*",
"Period": "12h",
"Limit": 1000
},
{
"Endpoint": "*",
"Period": "7d",
"Limit": 10000
}
]
}
If EnableEndpointRateLimiting is set to false, the limits are applied globally and only the * endpoint rule applies. For example, if you set a limit of 5 calls per second, any HTTP call to any endpoint will count toward that limit.
If EnableEndpointRateLimiting is set to true, the limits apply per endpoint as {HTTP_Verb}{PATH}. For example, if you set a limit of 5 calls per second for the client on *:/api/values, you can call GET /api/values 5 times per second, but you can also call PUT /api/values 5 times per second.
If StackBlockedRequests is set to false, rejected requests are not added to the throttling counter. If a client makes 3 requests per second and you set a limit of 1 call per second, other limits (e.g., per minute or daily counters) will only record the first call (the one that was not blocked). If you want rejected requests to count toward other limits, you must set StackBlockedRequests to true.
RealIpHeader is used to extract the client IP when your Kestrel server is behind a reverse proxy. If your proxy uses a different header than X-Real-IP, use this option to set it.
ClientIdHeader is used to extract the whitelisted client ID. If the client ID exists in this header and matches a value specified in ClientWhitelist, rate limiting will not be applied.
Only IP-based rate limiting is described here. If you are interested in this project, please visit the AspNetCoreRateLimit official website for more documentation.
Finally, if you enjoy my articles, please like and follow. I hope the .NET ecosystem gets better and better!