since #52 the private function func (l *Limiter) limitReachedWithTokenBucketTTL(key string, tokenBucketTTL time.Duration) bool and thus the tokenBucketTTL functionality doesn't make sense anymore: The burst parameter b in x/time/rate NewLimiter is used as max burst and initial bucket size (see comment in https://godoc.org/golang.org/x/time/rate#Limiter and https://github.com/golang/time/blob/master/rate/rate.go#L346). So a first request to a new (re)created bucket is always granted. Because of the initial bucket size of one, a second request is only granted, if the time elapsed (d) fullfills 1/d < r with r being the bucket refill rate - in tollbooth case rate.Limit(lmtMax).

So a bucket ttl only slighly increases the max rate, which is neglectable for 1/ttl << r.

Does it make sense to introduce an initial bucket size to the ExpirableOptions struct and use it if the ttl is not set to the default value? I'll happily prepare a PR if all of the above makes sense.

Will resolve #88 once done. I went the lazy way of embedding time/rate instead of rewriting it, function we need will be added in https://github.com/golang/go/issues/50035 in the future.

ToDo:

• [x] make countLimitWithTokenBucketTTL work
• [x] adjust Readme
• [x] add tests
• [x] manual tests

Fix #48

This change removes the TTL, as it doesn't necessarily make sense for use with the token bucket. The token bucket refills at a rate of r tokens per second, which is defined by the max value in tollbooth. As such, it makes sense that tollbooth only supports "number of requests per second", rather than allowing the user to define a duration for those requests.

This is a breaking change and existing code will need to be updated. As such, you may wish to update a major version in the semver, or do it as a bugfix, as the previous implementation was broken and does not function as described/intended.

Hi, I noticed that this library (along with others) assumes that the port number is always provided in http.Request.RemoteAddr

... Because this is an incorrect assumption, this breaks IPv6 on such installations where the port number is NOT provided: https://play.golang.org/p/oFZhZ6BCf3

Code to demonstrate issue

package main

import (
	"fmt"
	"strings"
)

func ipAddrFromRemoteAddr(s string) string {
	idx := strings.LastIndex(s, ":")
	if idx == -1 {
		return s
	}
	return s[:idx]
}

func main() {
	fmt.Println("OK:", ipAddrFromRemoteAddr("127.0.0.1"))
	fmt.Println("MISSING FINAL BLOCK:", ipAddrFromRemoteAddr("fe80:0000:0000:0000:34cb:9850:4868:9d2c"))
	fmt.Println("MISSING FINAL BLOCK:", ipAddrFromRemoteAddr("fe80::34cb:9850:4868:9d2c"))

}

Result:

OK: 127.0.0.1
MISSING FINAL BLOCK: fe80:0000:0000:0000:34cb:9850:4868
MISSING FINAL BLOCK: fe80::34cb:9850:4868

It's probably necessary to validate the IPv6 address first in order to detect if the port is not there. There is actually a pretty bad bug since a lot of App Engine deployments might be using this as-is and Google has no intention of changing this "portless" behavior.

Resolves #84. I haven't found a cache that wouldn't spawn goroutines and would have the unlimited size so I published one similar to the one I contributed to hashicorp/golang-lru in https://github.com/hashicorp/golang-lru/pull/68 as a separate project and switched tollbooth to it.

tollbooth API stays exactly the same, the only API difference is ExpirableOptions.ExpireJobInterval is unused becomes and becomes deprecated.

The big difference with previously used go-cache is the following: expired entries are deleted only on new Set calls on the same cache.

The only alternative to preserve exact same behavior as previously I could think of is calling DeleteExpired in this package and giving users the ability to terminate these goroutines using Close() call on a Limiter, which is kind of ugly but would do the trick. However, creating Close() function would allow us to switch to a number of different caches that provide their own Close() functions and then just call them inside our Close.

Please let me know what you think about that.

Firstly, great middleware, but I'm wondering if there are implications with the underlying implementations violating section 4 of the LGPL? Your library is MIT, but the juju implementation is LGPL and because go is statically linked we appear to be in violation for commercially shipped rather than open source projects.

IANAL but I was wondering if you've had any thoughts on this. Thanks.

Greetings!

I am seeing some odd behavior with how the limiter limits requests.

We are constructing a limiter like this:

limiter := tollbooth.NewLimiter(20, time.Second, nil)

My understanding of this, based on the documentation and code, is that the limiter will now allow a maximum of 20 requests per second, per path, per IP. If a client attempts to exceed 20 req/sec/path/IP, it will receive a 429 response.

However, this is not what we are seeing. We have a client that hits the same path about 2 times per second. After about six minutes at 2 req/sec, tollbooth starts responding with 429 errors here and there.

Either my understanding of how it is supposed to work is incorrect, or my configuration is incorrect, but it seems that setting 20/time.Second should never cause a 429 response under a load of 2/req/sec/path/IP.

Is it possible there is a bug somewhere in this package?

Please let me know what I'm missing here. Thanks!

I wish

to be able to support via configuration the following standardization proposal: https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-ratelimit-headers

gh repo: https://github.com/ietf-wg-httpapi/ratelimit-headers

This is currently implemented by envoy-proxy, kong and 3scale.

The spec

defines 3 ratelimit-headers, returning the current quota, remaining quota and delta-seconds before quota expires.

   RateLimit-Limit: 100
   RateLimit-Remaining: 50
   RateLimit-Reset: 60

Hello! First of all, thanks for the great library. It worked great, until I had to add rate limiting by user id in the request header.

I came across https://github.com/didip/tollbooth/issues/43, however I found that the function tollbooth.BuildKeys build keys using existing header values in the cache. Specifically this line: https://github.com/didip/tollbooth/blob/b10a036da5f05864224ee09432e489b32a6b2d1d/tollbooth.go#L89

Should the key be created this way instead of looping through existing values?

sliceKeys = append(sliceKeys, []string{remoteIP, path, r.Method, headerKey, r.Header.Get(headerKey)})

As I understand it, this sliceKeys is then used to lookup against the rate limit cache. If sliceKeys contain existing headers, the current request would get rate limited due to one of the existing headers.

If I have used the package wrongly, please help me to understand how I should use it.

Here are the middleware I wrote and the test.

func RateLimit(h http.HandlerFunc) http.HandlerFunc {
	allocationLimiter := tollbooth.NewLimiter(1, &limiter.ExpirableOptions{DefaultExpirationTTL: time.Minute}).
		SetMethods([]string{"POST"})

	handler := func(w http.ResponseWriter, r *http.Request) {
		customerID := r.Header.Get("X_Owner_ID")
		fmt.Printf("customerID: %s\n", customerID)
		allocationLimiter.SetHeader("X_Owner_ID", []string{customerID})

		tollbooth.LimitFuncHandler(allocationLimiter, h).ServeHTTP(w, r)
	}

	return handler
}

func TestRateLimit(t *testing.T) {
	customerID1 := "1234"
	customerID2 := "5678"

	tests := []struct {
		name                string
		secondRequestStatus int
		customerIDs         []string
	}{
		{"different customer id", http.StatusOK, []string{customerID1, customerID2}},
		{"same customer id", http.StatusTooManyRequests, []string{customerID1, customerID1}},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
			testServer := httptest.NewServer(RateLimit(h))
			defer testServer.Close()
			client := &http.Client{}

			request1, err := http.NewRequest("POST", testServer.URL, nil)
			assert.Nil(t, err)
			request1.Header.Add("CustomerID", tt.customerIDs[0])

			response, err := client.Do(request1)
			assert.Nil(t, err)
			assert.Equal(t, http.StatusOK, response.StatusCode)

			request2, err := http.NewRequest("POST", testServer.URL, nil)
			assert.Nil(t, err)
			request2.Header.Add("CustomerID", tt.customerIDs[1])

			response, err = client.Do(request2)
			assert.Nil(t, err)
			assert.Equal(t, tt.secondRequestStatus, response.StatusCode)
		})
	}
}

Hello there. I followed the guide and do the following:

lmt.SetMethods([]string{"POST"})

But it is not working. The limiter is still limiting the GET and all different kind of requests.

Is it possible to use tollbooth to limit total memory usage by my Go program? I would like to specify the maximum total memory that my go web application can use, such as, say 8GB, and if the memory has reach this limit, to not process the request. Thanks.

Disclosure URL: https://adam-p.ca/blog/2022/03/x-forwarded-for/

This is an attempt to address the situation.

1. We no longer configure SetIPLookups on default.

2. We address the two different SetIPLookups confusion in two different place by removing both of them.

3. We add a new, explicit way, for user to define how IP address should be picked up.

Tests are all updated to use the new method of picking IP address.

This will be a backward incompatible change so version number has to be bumped to 7.

Sample code:

func limitAccess(next http.Handler) http.Handler {

	lmt := tollbooth.NewLimiter(1, nil)
	lmt.SetHeaderEntryExpirationTTL(time.Hour * 24)
	lmt.SetHeader("X-Access-Token", []string{"abc123", "abc456"})
	lmt.SetIPLookups([]string{"RemoteAddr", "X-Forwarded-For", "X-Real-IP"})
	lmt.SetMethods([]string{"GET", "POST"})

	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if httpError := tollbooth.LimitByRequest(lmt, w, r); httpError != nil {
			http.Error(w, http.StatusText(401), http.StatusForbidden)
			return
		}

		next.ServeHTTP(w, r)
	})
}

How can I share throttling information through multiple instances of an app that are managed by a load balancer?

Issue https://github.com/didip/tollbooth/issues/57 answer mentions data is not persisted anywhere, therefore I can't plug a datastore (such as Redis) that would be used as a lookup store for all instances running at the same time.

I have this scenario described above in my current architecture, where 3 or more instances of the app may be running and I would like to "share" throttling information between them in order to avoid having non-deterministic 429 requests depending on which box my request hits.