Base solution for your next web application
Open Closed

Implementing AppService or Controller Rate Limiting #11191


User avatar
0
sedulen created
  • What is your product version? v11.2.0
  • What is your product type (Angular or MVC)? Angular
  • What is product framework type (.net framework or .net core)? .net 6

Good morning all, and Happy Monday! I was interested to know if anyone had implemented a Rate Limiting strategy for AppServices or Controllers?

I had found this library: https://github.com/stefanprodan/AspNetCoreRateLimit But looking over the documentation, it appears to be heavily driven by appSettings.json. Comparing that to how the dynamic endpoints are generated through ANZ's AppService architecture, I wasn't sure that this was a good fit.

I also saw that it used IDistributedCache and wasn't sure how that would work in parallel with ANZ's CacheManager.

I am mainly interested in exploring a Rate Limiting implementation against the public endpoints. I know I can prevent DDoS attacks and other

Thanks! -Brian


4 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    I think I also used this library before but it was just for a specific endpoint. Could you explain how would you like to use rate limit for your endpoints ?

    .NET 7 also introduces a similar feature https://devblogs.microsoft.com/dotnet/announcing-rate-limiting-for-dotnet/#:~:text=What%20is%20rate%20limiting?,handle%20much%20more%20than%20that. but you can't use it for now since we didn't release ABP with .NET 7.

  • User Avatar
    0
    sedulen created

    Hi @ismcagdas,

    The main thought behind this is for the publicly available endpoints (AllowAnonymous). For methods like TokenAuthController.Authenticate or AccountAppService.IsTenantAvailable, I think it's a reasonable consideration to want to rate-limit these endpoints.

    Obviously there can be preventative measures in-place for upstream networking & security devices and rules, such as an Azure Application Gateway WAF, to implement DDoS attack prevention.

    The "AspNetCoreRateLimit" project can work. I was hoping more for an Attribute-driven approach, similar to [AbpAuthorize] or [RequireFeature]. Additionally, I wasn't sure how this projects implementation of the IDistributedCache interface vs Abp's CacheManager would potentially conflict.

    Thanks! -Brian

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @sedulen

    We can work on this after .NET 7 upgrade. I created an internal issue and will start working on after .NET 7 upgrade.

  • User Avatar
    0
    hongbing.wang created

    Hi @ismcagdas,

    We also need to do API rate limiting / throttling for third-party facing / external APIs (AppServices).

    What is your product version? v12.4.0

    What is your product type (Angular or MVC)? Angular

    What is product framework type (.net framework or .net core)? .net 7

    Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")], sliding window limit, is available.

    Please advise the steps. Thank you.