Reputation: 1138
Why does Tomcat lack built-in rate-limit filters?
From a few sources (1 2 3), I'm getting the impression that whenever people wants to rate limit requests, the tendency seems to be "wrap Tomcat behind Apache, and rate-limit on Apache". There's also the iptables solution, but that won't answer HTTP 429 ("Too many requests").
Apache is fine, but sometimes it will be nice if we can improvise small-scale deployments of a small servlet we have, but we're still being asked to rate limit requests, and setting up an Apache layer seems like a bit of overkill (at least compared to cloning a web.xml file, which we're already doing anyway).
So I'm thinking of coding a small filter to do just that (as it seems like a significant amount of non-effort) and package it with the servlet, but the eerie absence of elaborate Tomcat rate limit filters out in the open suggests that this approach might be naive. I mean, this feels so generic and so much is Open-Source-available these days. So maybe there is a really good reason that justifies the Apache solution. Apache has so many options while Tomcat seems to have none.
(Jetty does seem to ship with one such filter though, despite being a servlet container.)
Why does Tomcat lack built-in rate-limit filters?
Upvotes: 4
Views: 8000
Answers (3)
Reputation: 31
Tomcat comes with RateLimitFilter since version 9.0.76 and 10.1.9.
The configuration is done in web.xml
Upvotes: 2
Reputation: 2298
Tomcat is often used as application container behind another webserver (a.k.a. reverse-proxy) that implements some functions more efficiently, like TLS-offloading, serving static resources, or to spread load (like a loadbalancer) over multiple Java processes or multiple web applications, and it makes more sense to stop an attack as efficiently and early as possible. Also a servlet filter cannot be used for more than a single web application.
But Tomcat has a good mechanism called Valves that can be used to implement rate-limiting, see for a complete implementation:
https://github.com/ihbrune/Anti-DoS-Valve
On the downside, Valves remain Tomcat specific and Filters are portable to other web containers and depending on your application framework, e.g. Spring MVC the framework might offer similar options like Interceptors that you could combine with a library for rate-limiting like:
https://github.com/vladimir-bukhtoyarov/bucket4j
So you can write your own custom logic, e.g. checking the amount of failed login attempts, in case of credential stuffing attacks
Upvotes: 4
Reputation: 20862
Tomcat sure does have a rate-limit filter valve built-in. You just have to modify it to suit your needs.
Upvotes: 3
Related Questions
- Tomcat: how to limit number of threads (not requests) in the entire application?
- Tomcat maxThread config
- Servlet filter: very simple rate-limiting filter allowing bursts
- Throttle HTTP request in Java Servlet
- Java limit CPU when run tomcat?
- Limiting the maximum request size in Tomcat
- Limit transactions per second (TPS) for every client in tomcat server without DOS vulnerability
- Limiting the size of client requests in Apache Tomcat
- How to throttle/limit resources of webapps in Tomcat?
- Tomcat throughput limit at low number users