shalzz / ambassador-rust-ratelimiter

This is a rate limiter service written in Rust for Datawires Ambassador, a Cloud Native proxy/API Gateway.

This is based on the Leaky bucket algorithm and currently supports two plans with different rate limits. The rate limits themselves as well as the number of plans can be tweaked for your own requirements.

To identify requests it expects two headers passed on from the authentication service that ambassador forwards to our rate-limiter service as RateLimitDescriptor Entries.

Your HTTP header names can be anything you want but when defining the Mapping CRD of ambassador for your service make sure the labels are the same as:

• xapiheader: an API key used to uniquely identify an API user.
• xuserheader: the "plan" the user of the API is currently on which defines the extent of the rate limiting. This should be determined by your auth service and added as an header to the request.

Note:

• remote_address: Remote IP address is used in-case your users need to use the API from a client device. In case you don't need this feature you change to ratelimit on the bases of the api_key instead of the remote_ip.

For more details on how to setup the rate-limiting service see ambassador docs

For Example:

apiVersion: ambassador/v1
kind:  Mapping
name: {{ template "myservice.fullname" . }}_mapping
service: {{ template "myservice.fullname" . }}:{{ .Values.service.port }}
labels:
  ambassador:
    - remote_address
    - xapiheader:
        header: "x-api-key"
        omit_if_not_present: true
    - xuserheader:
        header: "x-user-plan"
        omit_if_not_present: true

In order for Ambassador to pass on the required headers from the HTTP request to the RateLimitService make sure you whitelist the headers in the AuthService service defined your "getambassador.io/config" annotation when deploying the core Ambassador service along with other ambassador specific services you might have. For more details see the ambassador docs on authentication.

For Example:

getambassador.io/config: |
  apiVersion: ambassador/v1
  kind:  AuthService
  name:  authentication
  auth_service: "washed-sheep-ambassador-auth-service:3001"
  path_prefix: "/extauth"
  allowed_request_headers:
  - "x-api-key"
  - "x-api-secret"
  allowed_authorization_headers:
  - "x-api-key"
  - "x-user-plan"
  ---

This repo contains a helm chart in the helm directory to help deploy the service to your Kubernetes cluster.

This project uses the env_logger rust crate to control logging to the stdout.

You can specify the log level with the Environment variable RUST_LOG such as RUST_LOG=ambassador_rust_rate_limiter=debug.