ASP.NET Web API rate limiter for IIS and Owin hosting
If you are looking for the ASP.NET Core version see AspNetCoreRateLimit project.
AspNetCoreRateLimit is a full rewrite of WebApiThrottle and offers more flexibility in configuring rate limiting for Web API and MVC apps.
Introducing ThrottlingMiddleware, an OWIN middleware component that works the same as the ThrottlingHandler. With the ThrottlingMiddleware you can target endpoints outside of the WebAPI area, like OAuth middleware or SignalR endpoints.
Configuration example:
public class Startup
{
public void Configuration(IAppBuilder appBuilder)
{
//throtting middleware with policy loaded from config
appBuilder.Use(typeof(ThrottlingMiddleware),
ThrottlePolicy.FromStore(new PolicyConfigurationProvider()),
new PolicyCacheRepository(),
new CacheRepository(),
null);
}
}
More examples here
PolicyCacheRepository
and ThrottleManage
- documentation
IPolicyRepository
used for for storing and retrieving of policy data (global limits, clients rate limits and white-lists) - documentation
ThrottleManager
used for customizing the cache keys with prefix/suffix and for policy cache refreshThrottlingFilter
and EnableThrottlingAttribute
- documentation
There are no breaking changes in v1.2, you can safely update via NuGet.
If you want to use the rate limits update feature, you'll need to change the ThrottlingHandler
initialization code and use the new constructor ThrottlingHandler(ThrottlePolicy policy, IPolicyRepository policyRepository, IThrottleRepository repository, IThrottleLogger logger)
.
Register message handler (IIS hosting)
config.MessageHandlers.Add(new ThrottlingHandler(
policy: new ThrottlePolicy(perSecond: 1, perMinute: 20, perHour: 100, perDay: 1500)
{
IpThrottling = true,
ClientThrottling = true,
EndpointThrottling = true
},
policyRepository: new PolicyCacheRepository(),
repository: new CacheRepository(),
logger: null));
Register action filter with rate limits loaded from app.config (IIS hosting)
config.Filters.Add(new ThrottlingFilter(
policy: ThrottlePolicy.FromStore(new PolicyConfigurationProvider()),
policyRepository: new PolicyCacheRepository(),
repository: new CacheRepository(),
logger: null));
Update policy from code (IIS hosting)
//init policy repo
var policyRepository = new PolicyCacheRepository();
//get policy object from cache
var policy = policyRepository.FirstOrDefault(ThrottleManager.GetPolicyKey());
//update client rate limits
policy.ClientRules["api-client-key-1"] =
new RateLimits { PerMinute = 80, PerHour = 800 };
//add new client rate limits
policy.ClientRules.Add("api-client-key-3",
new RateLimits { PerMinute = 60, PerHour = 600 });
//apply policy updates
ThrottleManager.UpdatePolicy(policy, policyRepository);
Register message handler with rate limits loaded from app.config (Owin self-hosting)
config.MessageHandlers.Add(new ThrottlingHandler(
policy: ThrottlePolicy.FromStore(new PolicyConfigurationProvider()),
policyRepository: new PolicyMemoryCacheRepository(),
repository: new MemoryCacheRepository(),
logger: null));
IThrottlePolicyProvider
interface that allows loading at app startup the policy rules and settings from a persistent store like a databaseVersion 1.1 is compatible with .NET 4.5.x and has the following dependencies:
To avoid version conflicts redirect bindings for Owin and System.Web.Http in config:
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-2.1.0.0" newVersion="2.1.0.0" />
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
There are no breaking changes in v1.1, you can safely update via NuGet.