Skip to main content

Distributed Rate Limit & Quota

Enable distributed rate limiting in Traefik Hub.

Introduction

Traefik Hub uses Redis (Remote Dictionary Server) to store rate limit information across all Traefik Hub agents.

Connection parameters to your Redis server are attached to your Traefik Hub deployment.

The following Redis modes are supported:

info

For more information about Redis, we recommend the official Redis documentation.

Rate Limiting Behavior

Limits over Time

Rate limit diagram

Traefik Hub uses the Token Bucket algorithm, where the bucket represents the pool of available requests. Each request consumes one token from the bucket. Tokens are continuously refilled at a constant rate, ensuring a predefined limit on the number of requests that can be served in a given period of time.

For example, with a 1m period and a limit of 10 requests, Traefik Hub allows an average of 0.16 request per second (10/60s). This means that a new token is added to the bucket approximately every 0.16 seconds.

If users exhaust tokens faster than the bucket is refilled, the bucket becomes empty, and further requests will be rejected until new tokens become available.

Examples:

LimitPeriodDescription
101mThe bucket receives a new token approximately every 0.16 seconds (10 / 60 seconds).
1001hThe bucket receives a new token approximately every 0.02 seconds (100 / 3600 seconds).

Available Configuration Options

The table below lists the configuration options in Traefik Hub to connect to Redis and store rate limit information.

ValueDescriptionRequired
endpointsEndpoints of the Redis instances to connect to (example: redis.traefik-hub.svc.cluster.local:6379)Yes
usernameThe username Traefik Hub will use to connect to RedisNo
passwordThe password Traefik Hub will use to connect to RedisNo
databaseThe database Traefik Hub will use to sore information (default: 0)No
clusterEnable Redis ClusterNo
tls.caBundleCustom CA bundleNo
tls.certTLS certificateNo
tls.keyTLS keyNo
tls.insecureSkipVerifyAllow skipping the TLS verificationNo
sentinel.masterSetName of the set of main nodes to use for main selection. Required when using Sentinel.No
sentinel.usernameUsername to use for sentinel authentication (can be different from username)No
sentinel.passwordPassword to use for sentinel authentication (can be different from password)No
info

If you use Redis in single instance mode or Redis Sentinel, you can configure the database field. This value won't be taken into account if you use Redis Cluster (only database 0 is available).

In this case, a warning is displayed, and the value is ignored.

Adjust Traefik Hub's Configuration

First, save the default Traefik Hub configuration to a values.yaml file.

helm show values traefik/traefik-hub > values.yaml

Second, adjust the values.yaml file by adding the configuration for distributed rate limiting to the additionalArguments part.

additionalArguments:
  # Redis single instance mode
  - --hub.redis.endpoints=redis-headless.traefik-hub.svc.cluster.local:6379
  - --hub.redis.password=$(PASSWORD)
additionalEnvVars:
  # Redis in single instance mode
  - name: PASSWORD
    valueFrom:
      secretKeyRef:
        name: redis
        key: redis-password

service:
  type: LoadBalancer
All configuration settings

Please see the configuration options above for an overview about all possible values.

Deploy Your Custom Configuration

Once the configuration is adjusted, use Helm to (re)deploy the Traefik Hub agent with the new values to enable distributed rate limiting.

CLI
helm upgrade --install --namespace traefik-hub traefik-hub traefik/traefik-hub \
--values values.yaml