How to Rate Limit Go Applications

One of the factors you can consider when building your application is the amount of traffic you expect from users. Traffic volume probably dictates more factors that may include resource allocation, especially if you’re hosting your app on a cloud service provider.

Rate limiting is one of the techniques you can use to control the traffic on your application or network.

What is rate limiting?

Rate limiting is a widespread access restriction technique for limiting network traffic, primarily within an estimated time limit or when a user has executed too many requests.

Rate limiting is popular for mitigating cyber attacks such as brute force and DDoS (Distributed Denial of Service), limiting web scraping, API requests, and other irregular user interactions such as bot automation and server strain.

Go provides first-class support for rate-limiting applications in rate packages that provide rate limiters and interoperate with timing packages.

The rate package is part of the Go project, but the package is not available in the standard library. You have to install the package with get command.

Run this command in a terminal from your working directory to add the package to your project’s dependencies.

The json package is for the client to encode a structure as JSON. You would use the log package to log errors to the console and the http package to create endpoints and middleware and start the server.

Creating a simple API with one endpoint

Traditionally, you would write a middleware for the handler functions you want to limit. Every time the user sends a request, the middleware validates the request state before relaying access to the handler function, depending on the case.

Here is a struct model with string fields that you would encode on the client.

The handler function will set the content-type to JSON, write a success status code, and return the encoded struct instance to the client.

The endpoint instance handler function takes an http package writer and request method instance and returns a message to the client with the writer instance.

Rate Limiting A Simple Go Application

Rate limiting through the number of requests per user or the available number of requests is similar. You will always need to create a limiter before the authorization process.

Here’s how you can create a rate limiter and authorize users based on the number of requests.

The RateLimiterMiddleware handler function is a middleware that accepts a handler function as argument and returns the result of authorization after creating a new rate limiter with the NewLimiter method that takes two parameters for the number of requests per second after the specified maximum number of requests Takes.

The allow method of the Limiter instance returns a boolean based on the status of authorized requests. The ratelimiter middleware returns a JSON message if the request is authorized or a “rate limit exceeded” message when the client has sent the maximum number of requests.

The main function mounts the /home endpoint for the ratelimiter middleware handler function that takes in the endpoint instance handler function.

The listenAndServe method starts a server on localhost port 8080 and returns possible errors.

You can run this command on a terminal from your working directory or with a bash script to test the endpoint after the server is up and running.

After the sixth request (the maximum), the client is unauthorized and can no longer access the endpoint.

Rate-limiting is important

Rate-limiting is essential, especially if you want to cut down on the cost of hosting your application, reduce bot interference, or secure your app from cyber attacks. Similar to Go’s rate package, npm provides the express-rate-limit package to rate-limit Express applications.

Leave a Comment