- What is your product version? v11.2.0
- What is your product type (Angular or MVC)? Angular
- What is product framework type (.net framework or .net core)? .net 6
Good morning all, and Happy Monday! I was interested to know if anyone had implemented a Rate Limiting strategy for AppServices or Controllers?
I had found this library: https://github.com/stefanprodan/AspNetCoreRateLimit But looking over the documentation, it appears to be heavily driven by appSettings.json. Comparing that to how the dynamic endpoints are generated through ANZ's AppService architecture, I wasn't sure that this was a good fit.
I also saw that it used IDistributedCache and wasn't sure how that would work in parallel with ANZ's CacheManager.
I am mainly interested in exploring a Rate Limiting implementation against the public endpoints. I know I can prevent DDoS attacks and other
Thanks! -Brian
4 Answer(s)
-
0
Hi,
I think I also used this library before but it was just for a specific endpoint. Could you explain how would you like to use rate limit for your endpoints ?
.NET 7 also introduces a similar feature https://devblogs.microsoft.com/dotnet/announcing-rate-limiting-for-dotnet/#:~:text=What%20is%20rate%20limiting?,handle%20much%20more%20than%20that. but you can't use it for now since we didn't release ABP with .NET 7.
-
0
Hi @ismcagdas,
The main thought behind this is for the publicly available endpoints (AllowAnonymous). For methods like TokenAuthController.Authenticate or AccountAppService.IsTenantAvailable, I think it's a reasonable consideration to want to rate-limit these endpoints.
Obviously there can be preventative measures in-place for upstream networking & security devices and rules, such as an Azure Application Gateway WAF, to implement DDoS attack prevention.
The "AspNetCoreRateLimit" project can work. I was hoping more for an Attribute-driven approach, similar to [AbpAuthorize] or [RequireFeature]. Additionally, I wasn't sure how this projects implementation of the IDistributedCache interface vs Abp's CacheManager would potentially conflict.
Thanks! -Brian
-
0
Hi @sedulen
We can work on this after .NET 7 upgrade. I created an internal issue and will start working on after .NET 7 upgrade.
-
0
Hi @ismcagdas,
We also need to do API rate limiting / throttling for third-party facing / external APIs (AppServices).
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")], sliding window limit, is available.
Please advise the steps. Thank you.
