RateLimitPlugin Schema

Schema definition for the Rate Limit Plugin, which provides token bucket-based rate limiting to prevent abuse and ensure fair resource usage.

Schema Information

Property	Value
Schema URL	`https://rustybeam.net/schema/RateLimitPlugin`
Parent Schema	https://rustybeam.net/schema/UtilityPlugin
Description	Token bucket-based rate limiting with configurable strategies and burst capacity

Properties

Property	Type	Cardinality	Description
requests_per_second	https://rustybeam.net/schema/Number	0..1	Maximum requests per second allowed. Supports fractional values (e.g., 0.5 for one request per 2 seconds). Defaults to 10.0.
burst_capacity	https://rustybeam.net/schema/Number	0..1	Maximum burst requests allowed (token bucket size). Defaults to 2x requests_per_second. Allows temporary traffic spikes.
key_strategy	https://rustybeam.net/schema/Text	0..1	Strategy for identifying clients: "ip" (by IP address), "user" (by authenticated user), or "global" (server-wide limit). Defaults to "ip".
cleanup_interval	https://rustybeam.net/schema/Number	0..1	Interval in seconds for cleaning up inactive rate limit entries. Defaults to 300 (5 minutes). Prevents memory leaks.
name	https://rustybeam.net/schema/Text	0..1	Plugin instance name for identification. Defaults to "rate-limit" if not specified.

Usage Examples

Basic IP-based Rate Limiting

<tr itemscope itemtype="https://rustybeam.net/schema/RateLimitPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_rate_limit.so</span>
    <span itemprop="requests_per_second">5</span>
    <span itemprop="burst_capacity">15</span>
</tr>

Strict API Rate Limiting

<tr itemscope itemtype="https://rustybeam.net/schema/RateLimitPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_rate_limit.so</span>
    <span itemprop="requests_per_second">2</span>
    <span itemprop="burst_capacity">5</span>
    <span itemprop="key_strategy">ip</span>
    <span itemprop="cleanup_interval">600</span>
    <span itemprop="name">api_rate_limit</span>
</tr>

User-based Rate Limiting

<tr itemscope itemtype="https://rustybeam.net/schema/RateLimitPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_rate_limit.so</span>
    <span itemprop="requests_per_second">10</span>
    <span itemprop="burst_capacity">25</span>
    <span itemprop="key_strategy">user</span>
</tr>

Global Server-wide Limiting

<tr itemscope itemtype="https://rustybeam.net/schema/RateLimitPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_rate_limit.so</span>
    <span itemprop="requests_per_second">100</span>
    <span itemprop="burst_capacity">200</span>
    <span itemprop="key_strategy">global</span>
    <span itemprop="name">server_limit</span>
</tr>

Slow Rate Limiting (Less than 1 req/sec)

<tr itemscope itemtype="https://rustybeam.net/schema/RateLimitPlugin">
    <span itemprop="library">file://./plugins/librusty_beam_rate_limit.so</span>
    <span itemprop="requests_per_second">0.1</span>
    <span itemprop="burst_capacity">3</span>
    <span itemprop="name">strict_limit</span>
</tr>

Rate Limiting Strategies

Strategy	Key Source	Use Case	Pros	Cons
`ip`	Client IP address	General protection, anonymous APIs	Simple, works without authentication	Shared IPs affect multiple users
`user`	Authenticated username	Per-user API limits, fair usage	Fair per-user limits, precise control	Requires authentication
`global`	Server-wide counter	Server protection, traffic shaping	Simple server protection	Single user can exhaust limit

Token Bucket Algorithm
The Rate Limit Plugin uses a token bucket algorithm:

Bucket Size: burst_capacity tokens
Refill Rate: requests_per_second tokens per second
Request Cost: 1 token per request
Behavior: Allows bursts up to bucket size, then sustained rate

Response Headers

The Rate Limit Plugin adds these headers to responses:

Header	Description	Example
`X-RateLimit-Limit`	Requests per second limit	`10`
`X-RateLimit-Remaining`	Tokens remaining in bucket	`7`
`X-RateLimit-Reset`	Unix timestamp when bucket refills	`1657464945`
`Retry-After`	Seconds to wait (on 429 responses)	`10`

Rate Limited Response

HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1657464955
Retry-After: 10
Content-Type: application/json

{
  "error": "Rate limit exceeded",
  "message": "Too many requests. Please try again later.",
  "retry_after": 10
}

Schema Inheritance

This schema inherits from the UtilityPlugin schema, which provides:

logfile - Log file path
directory - Directory configuration
enabled - Plugin enable/disable state

And ultimately from the base Plugin schema, which provides:

library - Plugin library path
plugin - Base plugin reference property

Configuration Recommendations

Common Rate Limiting Scenarios

Scenario	RPS	Burst	Strategy	Rationale
Public API	1-5	10-15	ip	Prevent abuse while allowing normal usage
Authenticated API	10-50	100-150	user	Fair usage per authenticated user
Upload Endpoints	0.1-0.5	2-5	user	Expensive operations need strict limits
Health Checks	No limit	-	-	Exclude from rate limiting
Server Protection	1000	2000	global	Overall server capacity protection

Validation Rules

requests_per_second must be a positive number (supports decimals)
burst_capacity must be greater than or equal to requests_per_second
key_strategy must be one of: "ip", "user", "global"
cleanup_interval must be a positive integer (seconds)
For "user" strategy, authentication must be configured before rate limiting
The name property should be unique if multiple rate limit plugins are used

Plugin Pipeline Placement
The Rate Limit Plugin should be placed early in the plugin pipeline, typically before expensive operations but after any authentication plugins if using "user" strategy. This prevents abuse while ensuring proper user identification.

Memory Management

Token Buckets: Stored in memory per client/user
Cleanup Process: Automatically removes inactive entries
Memory Usage: ~100 bytes per active client
Scaling: Memory usage grows with concurrent clients
Persistence: Limits reset on server restart

Client-Side Handling

Exponential Backoff

async function makeRequest(url) {
    let delay = 1000; // Start with 1 second
    
    for (let attempt = 0; attempt < 5; attempt++) {
        const response = await fetch(url);
        
        if (response.status === 429) {
            const retryAfter = response.headers.get('Retry-After');
            const waitTime = retryAfter ? parseInt(retryAfter) * 1000 : delay;
            
            await new Promise(resolve => setTimeout(resolve, waitTime));
            delay *= 2; // Exponential backoff
            continue;
        }
        
        return response;
    }
    
    throw new Error('Rate limit exceeded after retries');
}

Rate Limit Headers Monitoring

function checkRateLimit(response) {
    const limit = response.headers.get('X-RateLimit-Limit');
    const remaining = response.headers.get('X-RateLimit-Remaining');
    const reset = response.headers.get('X-RateLimit-Reset');
    
    if (remaining && parseInt(remaining) < 5) {
        console.warn('Rate limit nearly exceeded:', {
            limit,
            remaining,
            resetTime: new Date(parseInt(reset) * 1000)
        });
    }
}

Integration with Other Plugins

Authorization Plugin: Use "user" strategy for per-user limits after authentication
Basic Auth Plugin: Authenticate users before applying user-based rate limits
Health Check Plugin: Consider excluding health checks from rate limiting
Access Log Plugin: Logs rate-limited requests for monitoring
Directory Plugin: Apply different rate limits to different API versions/paths

Monitoring and Alerting

Metrics to Monitor

Rate Limit Hits: Number of 429 responses
Top Rate Limited IPs: Identify potential attackers
Burst Usage: How often burst capacity is utilized
Token Bucket States: Average remaining tokens
Memory Usage: Number of active rate limit entries

Log Analysis

# Find rate limited requests
grep "429" access.log | head -10

# Top rate limited IPs
grep "429" access.log | awk '{print $1}' | sort | uniq -c | sort -nr

# Rate limit frequency by hour
grep "429" access.log | cut -d'[' -f2 | cut -d':' -f2 | sort | uniq -c