Created
September 26, 2022 13:52
-
-
Save vnayar/f0e79caa4edd038b6924af159169fe3d to your computer and use it in GitHub Desktop.
An example Envoy configuration that perfoms path-based local rate-limiting.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A local rate-limit following the example at: | |
| # https://github.com/envoyproxy/envoy/tree/main/examples/local_ratelimit | |
| # Resources loaded at boot, rather than dynamically via APIs. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-msg-config-bootstrap-v3-bootstrap-staticresources | |
| static_resources: | |
| # A listener wraps an address to bind to and filters to run on messages on that address. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-msg-config-listener-v3-listener | |
| listeners: | |
| # The address of an interface to bind to. Interfaces can be sockets, pipes, or internal addresses. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-address | |
| - address: | |
| # This address is for a network socket, with an IP and a port. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-socketaddress | |
| socket_address: | |
| # The value 0.0.0.0 indicates that all interfaces will be bound to. | |
| address: 0.0.0.0 | |
| # The IP port number to bind to. | |
| port_value: 10000 | |
| # Filter chains wrap several related configurations, e.g. match criteria, TLS context, filters, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filterchain | |
| filter_chains: | |
| # An ordered list of filters to apply to connections. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener_components.proto#envoy-v3-api-msg-config-listener-v3-filter | |
| - filters: | |
| - name: envoy.filters.network.http_connection_manager | |
| # A generic configuration whose fields vary with its "@type". | |
| typed_config: | |
| # The HttpConnectionManager filter converts raw data into HTTP messages, logging, | |
| # tracing, header manipulation, routing, and statistics. | |
| # https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#arch-overview-http-conn-man | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extension-envoy-filters-network-http-connection-manager | |
| "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | |
| # The human readable prefix used when emitting statistics. | |
| stat_prefix: ingress_http | |
| # The static routing table used by this filter. Individual routes may also add "rate | |
| # limit descriptors", essentially tags, to requests which may be referenced in the | |
| # "http_filters" config. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-msg-config-route-v3-routeconfiguration | |
| route_config: | |
| name: local_route | |
| # An array of virtual hosts which will compose the routing table. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-virtualhost | |
| virtual_hosts: | |
| - name: backend | |
| # A list of domains, e.g. *.foo.com, that will match this virtual host. | |
| domains: | |
| - "*" | |
| # A list of routes to match against requests, the first one that matches will be used. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-route | |
| routes: | |
| # The conditions that a request must satisfy to follow this route. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routematch | |
| - match: | |
| # A match against the beginning of the :path pseudo-header. | |
| prefix: "/" | |
| # The routing action to take if the request matches the conditions. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-routeaction | |
| route: | |
| host_rewrite_literal: www.envoyproxy.io | |
| cluster: service_envoyproxy_io | |
| # Rate limit conditions specific to this virtual host. | |
| rate_limits: | |
| # Various actions to extract and label requests with descriptor keys/values. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action | |
| - actions: | |
| # Read a request header and use its value to set the value of a descriptor entry. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-msg-config-route-v3-ratelimit-action-requestheaders | |
| - request_headers: | |
| descriptor_key: path # Key | |
| header_name: ":path" # Value from pseudo-header ":path". | |
| - request_headers: | |
| descriptor_key: method # Key | |
| header_name: ":method" # Value from pseudo-header ":method", e.g. GET, PUT, POST, DELETE. | |
| # Create virtual host specific configurations for filters. This is a key-value | |
| # map with the key matching the name of the filter and an object value which appends | |
| # configuration data to that filter. | |
| typed_per_filter_config: | |
| # An envoy-instance specific rate-limit. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto#extension-envoy-filters-http-local-ratelimit | |
| envoy.filters.http.local_ratelimit: | |
| "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit | |
| # The human readable prefix to use when emitting stats. | |
| stat_prefix: http_local_rate_limiter | |
| #### | |
| # Rate Limiting Configurations | |
| #### | |
| # Default settings for the rate limit. Each request consumes a token. If no tokens remain, a 429 error. | |
| token_bucket: | |
| # The total number of tokens that can accumulate. | |
| max_tokens: 3 | |
| tokens_per_fill: 3 | |
| fill_interval: 5s | |
| # A percentage of requests to apply the rate limit to. Defaults to 0. | |
| filter_enabled: | |
| runtime_key: local_rate_limit_enabled | |
| default_value: | |
| numerator: 100 | |
| denominator: HUNDRED | |
| # The fraction of enabled requests to actually enforce. | |
| filter_enforced: | |
| runtime_key: local_rate_limit_enforced | |
| default_value: | |
| numerator: 100 | |
| denominator: HUNDRED | |
| # A header to add when a rate limit is enforced. | |
| response_headers_to_add: | |
| - append: true | |
| header: | |
| key: x-local-rate-limit | |
| value: 'true' | |
| # Rather than having a rate-limiting bucket per route, route actions may | |
| # place descriptors, which can be used here to make descriptor-specific | |
| # changes to the connection filter, such as adding load balancing. | |
| # https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter#config-http-filters-local-rate-limit-descriptors | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/common/ratelimit/v3/ratelimit.proto#envoy-v3-api-msg-extensions-common-ratelimit-v3-localratelimitdescriptor | |
| descriptors: | |
| - entries: | |
| - key: path | |
| value: /docs | |
| - key: method | |
| # value: GET | |
| # Override the filter token_bucket if the descriptor entries matched. | |
| token_bucket: | |
| # The total number of tokens that can accumulate. | |
| max_tokens: 1 | |
| # How many tokens are added each fill_interval. | |
| tokens_per_fill: 1 | |
| # The duration between adding additional tokens to the bucket. | |
| fill_interval: 5s | |
| # Individual filters applied by the HTTP Connection Manager. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter | |
| http_filters: | |
| # An envoy-instance specific rate-limit. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto#extension-envoy-filters-http-local-ratelimit | |
| - name: envoy.filters.http.local_ratelimit | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit | |
| # The human readable prefix to use when emitting stats. | |
| stat_prefix: http_local_rate_limiter | |
| # The router filter performs HTTP forwarding with optional logic for retries, statistics, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extension-envoy-filters-http-router | |
| # https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router | |
| - name: envoy.filters.http.router | |
| typed_config: | |
| "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | |
| # Configurations for logically similar upstream hosts, called clusters, that Envoy connects to. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-msg-config-cluster-v3-cluster | |
| clusters: | |
| - name: service_envoyproxy_io | |
| # The cluster type, in this case, discover the target via a DNS lookup. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-discoverytype | |
| type: LOGICAL_DNS | |
| connect_timeout: 500s | |
| dns_lookup_family: V4_ONLY | |
| # For endpoints that are part of the cluster, determine how requests are distributed. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint.proto#envoy-v3-api-msg-config-endpoint-v3-clusterloadassignment | |
| load_assignment: | |
| cluster_name: service_envoyproxy_io | |
| endpoints: | |
| # A list of endpoints that belong to this cluster. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-localitylbendpoints | |
| - lb_endpoints: | |
| # A single endpoint, it's load-balancing weight, etc. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint | |
| - endpoint: | |
| address: | |
| socket_address: | |
| address: www.envoyproxy.io | |
| port_value: 443 | |
| # A customized transport socket, in this case, with TLS enabled. | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#envoy-v3-api-msg-config-core-v3-transportsocket | |
| transport_socket: | |
| name: envoy.transport_sockets.tls | |
| typed_config: | |
| # https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto | |
| "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | |
| # Server Name Indication, the server being contacted in step 1 of the TLS handshake. | |
| sni: www.envoyproxy.io | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment