[Tutorial] Securing Rate Limit Actions with JSON Web Tokens (JWT)
Most applications require external users or clients to access a variety of their services and therefore require policies to secure and protect them. Rate limiting is a strategy implemented in API or Edge Gateways to protect backend services by preventing service outages from being overrun with more requests than it’s resources can process and respond to within the agreed service levels.
Rate limits can be configured in a variety of ways to limit the volume or requests over a time period to the endpoint, by the client ID, by HTTP method, with integrated security, and more. In previous posts we tried multiple rate limits by client ID, rate limits to prioritize traffic by HTTP method, and in this post we will secure rate limit actions with JSON Web Tokens (JWT).
When to use this use case
Headers are a convenient way to determine the values for rate limit actions and can often require additional security depending on the use case. While Gloo API Gateway has the ability to extensively rate limit on any header coming in, Gloo can also secure the header by encoding the values as claims in a JWT that is passed on in the request and the headers can be derived from the extracted claims after the JWT has been verified. You can provide a secure method for your users to acquire a JWT by setting up the ability for an auth negotiation with a trusted auth provider.
Try this use case
Follow along using this tutorial to try configuring this type of rate limiting policy.
Set up your environment using these instructions. Any self-hosted or cloud managed Kubernetes (our demo uses GKE) with Gloo API Gateway (latest 1.4) installed will work. Then deploy the demo app, add a virtual service to expose via Gloo, and query the service.
Then you’ll use these instructions to set up and test the rate limit configuration and also layer in Open Policy Agent (OPA) and a Web Application Firewall (WAF) to further secure the traffic.
- Apply settings with
settings-patch-1.yamlto see how headers work - Apply rate limit actions on the route with
vs-1.yaml - Add JWT claims and verification with
vs-2.yaml(below) - Layer on WAF and OPA with
vs-3.yaml
Here is what the YAML looks like with added JWT:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: spelunker
namespace: gloo-system
spec:
virtualHost:
domains:
- '*'
routes:
- matchers:
- prefix: /
routeAction:
single:
upstream:
name: spelunker-spelunker-80
namespace: gloo-system
options:
jwt:
providers:
solo:
tokenSource:
headers:
- header: x-token
queryParams:
- token
claimsToHeaders:
- claim: type
header: x-type
- claim: number
header: x-number
issuer: solo.io
jwks:
local:
key: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxdil+UiTSKYKV90YkeZ/
9CWvb4XfUgqYDeW/OG1Le+/BvSVkAFc1s3Fg0l9Zo4yvS4OGQszsNGJNl1mYya/L
sSTTD7suKLXY7FBTaBB8CQvvW873yRij1F4EaygOJ1ujuFmpgBGvQLSS5rceNaCl
Qzo+bmf3z0UGbhCxgsjDsJK2/aW2D/3dep/kF1GyEOGz8fewnwVp0zVyuS4UMidV
2cdnAobX2GvPwpjAeIeqhHG3HX4fen+TwU8rkej3y4efKHNj/GbKQmtt2EoOhEox
iK/JALlhQNAJqYn+81amRM7wGWeLEByt0+mwyAfnShOr6MFwrhQjsm4orwAx7yHB
jwIDAQAB
-----END PUBLIC KEY-----
ratelimit:
rateLimits:
- actions:
- requestHeaders:
descriptorKey: type
headerName: x-type
- actions:
- requestHeaders:
descriptorKey: type
headerName: x-type
- requestHeaders:
descriptorKey: number
headerName: x-number
Watch the demo
Learn More
We hope you found this tutorial informative and useful in your exploration of API Gateway functionality. You can watch the full webinar featuring this demo here and sign up for an upcoming webinar here.
- About Gloo open source and enterprise
- Read the docs on Rate Limiting
- Request a personalized demo
- Questions? Join the community
