Rate limit

Matches when requests for a specific client exceed a defined threshold within a set duration.

This condition tracks the volume of requests from a specific requester and returns true if that volume exceeds a defined threshold within a set time period. Rate counters are measured centrally across all proxies serving an application, and each evaluated client ID is allocated its own counter as long as requests are received for it within the interval.

Counting only occurs if the other conditions within the web control are met. The counter set for a rate limit condition is unique to the specific web control that contains it; an identical condition in another web control maintains its own independent counter set.

Configuration

  • Client ID: A value template evaluated to identify the requester. By default, this is set to $(request_address) to track by the requester’s IP address. This field is required.
  • Threshold: The maximum number of requests allowed within the duration before the condition triggers. This must be a number greater than 0. This field is required.
  • Duration: The amount of time over which to accumulate the request count. This must be a number of at least 5 when the unit of time is seconds, but can be as low as 1 if the unit of time is minutes or hours. This field is required.
  • Unit: The unit of time (Seconds, Minutes, or Hours) used for the duration. This field is required.

Measurement

Rate measurement is not exact. For efficiency, a sliding window is used with a fixed number of buckets. While a triggered condition confirms the client is over the limit, a client strictly over the limit may be measured under the limit if a significant number of requests fall at the beginning of the interval.


Last modified March 5, 2026