Skip to main content
Version: 3.3

Protect API

This article describes secure your API with the rate limiting plugin for API Gateway Apache APISIX.

Concept introduction#


This represents the configuration of the plugins that are executed during the HTTP request/response lifecycle. A Plugin configuration can be bound directly to a Route, a Service, a Consumer or a Plugin Config.


If Route, Service, Plugin Config or Consumer are all bound to the same for plugins, only one plugin configuration will take effect. The priority of plugin configurations is: Consumer > Route > Plugin Config > Service. At the same time, there are 6 stages involved in the plugin execution process, namely rewrite, access, before_proxy, header_filter, body_filter and log.


Before following this tutorial, ensure you have exposed the service.

Protect your API#

We can use rate limits to limit our API services to ensure the stable operation of API services and avoid system crashes caused by some sudden traffic. We can restrict as follows:

  1. Limit the request rate;
  2. Limit the number of requests per unit time;
  3. Delay request;
  4. Reject client requests;
  5. Limit the rate of response data.

APISIX provides several plugins for limiting current and speed, including limit-conn, limit-count, limit- req and other plugins.

  • The limit-conn Plugin limits the number of concurrent requests to your services.
  • The limit-req Plugin limits the number of requests to your service using the leaky bucket algorithm.
  • The limit-count Plugin limits the number of requests to your service by a given count per time.

Next, we will use the limit-count plugin as an example to show you how to protect your API with a rate limit plugin:

  1. Create a Route.
curl -i \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
"uri": "/index.html",
"plugins": {
"limit-count": {
"count": 2,
"time_window": 60,
"rejected_code": 503,
"key_type": "var",
"key": "remote_addr"
"upstream_id": "1"

In the above configuration, a Route with ID 1 is created using the upstream made in Expose Service, and the limit-count plugin is enabled. The plugin only allows the client to access the upstream service 2 times within 60 seconds. If more than two times, the 503 error code will be returned.

  1. Test

After using the above command to access three times in a row, the following error will appear:

<head><title>503 Service Temporarily Unavailable</title></head>
<center><h1>503 Service Temporarily Unavailable</h1></center>

If the above result is returned, the limit-count plugin has taken effect and protected your API.

More Traffic plugins#

In addition to providing plugins for limiting current and speed, APISIX also offers many other plugins to meet the needs of actual scenarios:

  • proxy-cache: This plugin provides the ability to cache backend response data. It can be used with other plugins. The plugin supports both disk and memory-based caching. Currently, the data to be cached can be specified according to the response code and request mode, and more complex caching strategies can also be configured through the no_cache and cache_bypass attributes.
  • request-validation: This plugin is used to validate requests forwarded to upstream services in advance.
  • proxy-mirror: This plugin provides the ability to mirror client requests. Traffic mirroring is copying the real online traffic to the mirroring service, so that the online traffic or request content can be analyzed in detail without affecting the online service.
  • api-breaker: This plugin implements an API circuit breaker to help us protect upstream business services.
  • traffic-split: You can use this plugin to gradually guide the percentage of traffic between upstreams to achieve blue-green release and grayscale release.
  • request-id: The plugin adds a unique ID to each request proxy through APISIX for tracking API requests.
  • proxy-control: This plugin can dynamically control the behavior of NGINX proxy.
  • client-control: This plugin can dynamically control how NGINX handles client requests by setting an upper limit on the client request body size.

More Tutorials#

You can refer to the Observe API document to monitor APISIX, collect logs, and track.