I tried using RateLimit but since the connections don't follow a pattern it didn't work in my tests.
Example with default burst 1 and default period 1:
in the file dynamic-traefik.yaml I configured:
http:
routers:
rt-apache-websecure:
entrypoints: websecure
rule: HostRegexp(`{host:.+}`) && PathPrefix(`/`)
service: srv-apache-web
middlewares:
- ratelimit-asd
middlewares:
ratelimit-asd:
rateLimit:
average: 3
#burst: 3
#period: 1s
services:
srv-apache-web:
loadBalancer:
servers:
- url: '{{env "APACHE_HOSTNAME"}}'
I made 3 requests in the same second
┌──(root㉿kali)-[/home/git/pyflooder]
└─# pyflooder python3.12 pyflooder.py https://example.com 3
2024-09-02 08:19:35.593718-04:00 --> 0
2024-09-02 08:19:35.596678-04:00 --> 1
2024-09-02 08:19:35.598948-04:00 --> 2
<Response [200 OK]> --> 0
<Response [429 Too Many Requests]> --> 1
<Response [200 OK]> --> 2
┌──(root㉿kali)-[/home/git/pyflooder]
└─# pyflooder python3.12 pyflooder.py https://example.com 3
2024-09-02 08:19:44.432737-04:00 --> 0
2024-09-02 08:19:44.435911-04:00 --> 1
2024-09-02 08:19:44.438494-04:00 --> 2
<Response [429 Too Many Requests]> --> 1
<Response [429 Too Many Requests]> --> 2
<Response [200 OK]> --> 0
What I understood from the documentation is that average is divided by period and burst is the maximum volume. Therefore, 3(average) / 1(period) = 3 + 1(burst) = 4 requests within 1 second
Other users reported the same issue with rate-limit:
https://community.traefik.io/t/inconsistency-with-rate-limit-middleware/18190
https://stackoverflow.com/questions/74314530/need-help-understanding-traefik-rate-limit-average-value