Rate Limiter
A "rate limiter" controls how frequently some event (e.g. an HTTP request or a login attempt) is allowed to happen. Rate limiting is commonly used as a defensive measure to protect services from excessive use (intended or not) and maintain their availability. It's also useful to control your internal or outbound processes (e.g. limit the number of simultaneously processed messages).
Symfony uses these rate limiters in built-in features like login throttling, which limits how many failed login attempts a user can make in a given period of time, but you can use them for your own features too.
Danger
By definition, the Symfony rate limiters require Symfony to be booted in a PHP process. This makes them not useful to protect against DoS attacks. Such protections must consume the least resources possible. Consider using Apache mod_ratelimit, NGINX rate limiting, Caddy HTTP rate limit module (also supported by FrankenPHP) or proxies (like AWS or Cloudflare) to prevent your server from being overwhelmed.
Rate Limiting Policies
Symfony's rate limiter implements some of the most common policies to enforce rate limits: fixed window, sliding window, token bucket.
Fixed Window Rate Limiter
This is the simplest technique and it's based on setting a limit for a given interval of time (e.g. 5,000 requests per hour or 3 login attempts every 15 minutes).
In the diagram below, the limit is set to "5 tokens per hour". Each window starts at the first hit (i.e. 10:15, 11:30 and 12:30). As soon as there are 5 hits (the blue squares) in a window, all others will be rejected (red squares).
Its main drawback is that resource usage is not evenly distributed in time and it can overload the server at the window edges. In this example, there were 6 accepted requests between 11:00 and 12:00.
This is more significant with bigger limits. For instance, with 5,000 requests per hour, a user could make 4,999 requests in the last minute of some hour and another 5,000 requests during the first minute of the next hour, making 9,999 requests in total in two minutes and possibly overloading the server. These periods of excessive usage are called "bursts".
Sliding Window Rate Limiter
The sliding window algorithm is an alternative to the fixed window algorithm designed to reduce bursts. This is the same example as above, but then using a 1 hour window that slides over the timeline:
As you can see, this removes the edges of the window and would prevent the 6th request at 11:45.
To achieve this, the rate limit is approximated based on the current window and the previous window.
For example: the limit is 5,000 requests per hour; a user made 4,000 requests the previous hour and 500 requests this hour. 15 minutes in to the current hour (25% of the window) the hit count would be calculated as: 75% * 4,000 + 500 = 3,500. At this point in time the user can only do 1,500 more requests.
The math shows that the closer the last window is, the more the hit count of the last window will affect the current limit. This will make sure that a user can do 5,000 requests per hour but only if they are evenly spread out.
Token Bucket Rate Limiter
This technique implements the token bucket algorithm, which defines continuously updating the budget of resource usage. It roughly works like this:
- A bucket is created with an initial set of tokens;
- A new token is added to the bucket with a predefined frequency (e.g. every second);
- Allowing an event consumes one or more tokens;
- If the bucket still contains tokens, the event is allowed; otherwise, it's denied;
- If the bucket is at full capacity, new tokens are discarded.
The below diagram shows a token bucket of size 4 that is filled with a rate of 1 token per 15 minutes:
This algorithm handles more complex back-off burst management. For instance, it can allow a user to try a password 5 times and then only allow 1 every 15 minutes (unless the user waits 75 minutes and they will be allowed 5 tries again).
Installation
Before using a rate limiter for the first time, run the following command to install the associated Symfony Component in your application:
1
$ composer require symfony/rate-limiter
Configuration
The following example creates two different rate limiters for an API service, to enforce different levels of service (free or paid):
1 2 3 4 5 6 7 8 9 10 11 12
# config/packages/rate_limiter.yaml
framework:
rate_limiter:
anonymous_api:
# use 'sliding_window' if you prefer that policy
policy: 'fixed_window'
limit: 100
interval: '60 minutes'
authenticated_api:
policy: 'token_bucket'
limit: 5000
rate: { interval: '15 minutes', amount: 500 }
Note
The value of the interval
option must be a number followed by any of the
units accepted by the PHP date relative formats (e.g. 3 seconds
,
10 hours
, 1 day
, etc.)
In the anonymous_api
limiter, after making the first HTTP request, you can
make up to 100 requests in the next 60 minutes. After that time, the counter
resets and you have another 100 requests for the following 60 minutes.
In the authenticated_api
limiter, after making the first HTTP request you
are allowed to make up to 5,000 HTTP requests in total, and this number grows
at a rate of another 500 requests every 15 minutes. If you don't make that
number of requests, the unused ones don't accumulate (the limit
option
prevents that number from being higher than 5,000).
Tip
All rate-limiters are tagged with the rate_limiter
tag, so you can
find them with a tagged iterator or
locator.
7.1
The automatic addition of the rate_limiter
tag was introduced
in Symfony 7.1.
Rate Limiting in Action
Injecting the Rate Limiter Service
After having configured one or more rate limiters, you have two ways of injecting them in any service or controller:
(1) Use a specific argument name
Type-hint your constructor/method argument with RateLimiterFactoryInterface
and name
the argument using this pattern: "rate limiter name in camelCase" + Limiter
suffix.
For example, to inject the anonymous_api
limiter defined earlier, use an
argument named $anonymousApiLimiter
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// src/Controller/ApiController.php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
class ApiController extends AbstractController
{
public function index(RateLimiterFactoryInterface $anonymousApiLimiter): Response
{
// ...
}
}
(2) Use the #[Target]
attribute
When dealing with multiple implementations of the same type
the #[Target]
attribute helps you select which one to inject. Symfony creates
a target with the same name as the rate limiter.
For example, to select the anonymous_api
limiter defined earlier, use
anonymous_api.limiter
as the target:
1 2 3 4 5 6 7 8 9 10 11 12
// ...
use Symfony\Component\DependencyInjection\Attribute\Target;
class ApiController extends AbstractController
{
public function index(
#[Target('anonymous_api')] RateLimiterFactoryInterface $rateLimiter
): Response
{
// ...
}
}
7.3
RateLimiterFactoryInterface was added and should now be used for autowiring instead of RateLimiterFactory.
7.4
Before Symfony 7.4, the target name had to include the .limiter
suffix (e.g. #[Target('anonymous_api.limiter')]
).
Using the Rate Limiter Service
After having injected the rate limiter in any service or controller, call the
consume()
method to try to consume a given number of tokens. For example,
this controller uses the previous rate limiter to control the number of requests
to the API:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
// src/Controller/ApiController.php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
class ApiController extends AbstractController
{
// the argument name here is important; read the previous section about
// how to inject a specific rate limiter service
public function index(Request $request, RateLimiterFactoryInterface $anonymousApiLimiter): Response
{
// create a limiter based on a unique identifier of the client
// (e.g. the client's IP address, a username/email, an API key, etc.)
$limiter = $anonymousApiLimiter->create($request->getClientIp());
// the argument of consume() is the number of tokens to consume
// and returns an object of type Limit
if (false === $limiter->consume(1)->isAccepted()) {
throw new TooManyRequestsHttpException();
}
// you can also use the ensureAccepted() method - which throws a
// RateLimitExceededException if the limit has been reached
// $limiter->consume(1)->ensureAccepted();
// to reset the counter
// $limiter->reset();
// ...
}
}
Note
In a real application, instead of checking the rate limiter in all the API controller methods, create an event listener or subscriber for the kernel.request event and check the rate limiter once for all requests.
Wait until a Token is Available
Instead of dropping a request or process when the limit has been reached,
you might want to wait until a new token is available. This can be achieved
using the reserve()
method:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
// src/Controller/ApiController.php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
class ApiController extends AbstractController
{
public function registerUser(Request $request, RateLimiterFactoryInterface $authenticatedApiLimiter): Response
{
$apiKey = $request->headers->get('apikey');
$limiter = $authenticatedApiLimiter->create($apiKey);
// this blocks the application until the given number of tokens can be consumed
$limiter->reserve(1)->wait();
// optional, pass a maximum wait time (in seconds), a MaxWaitDurationExceededException
// is thrown if the process has to wait longer. E.g. to wait at most 20 seconds:
//$limiter->reserve(1, 20)->wait();
// ...
}
// ...
}
The reserve()
method is able to reserve a token in the future. Only use
this method if you're planning to wait, otherwise you will block other
processes by reserving unused tokens.
Note
Not all strategies allow reserving tokens in the future. These
strategies may throw a ReserveNotSupportedException
when calling
reserve()
.
In these cases, you can use consume()
together with wait()
, but
there is no guarantee that a token is available after the wait:
1 2 3 4 5
// ...
do {
$limit = $limiter->consume(1);
$limit->wait();
} while (!$limit->isAccepted());
Exposing the Rate Limiter Status
When using a rate limiter in APIs, it's common to include some standard HTTP headers in the response to expose the limit status (e.g. remaining tokens, when new tokens will be available, etc.)
Use the RateLimit object returned by
the consume()
method (also available via the getRateLimit()
method of
the Reservation object returned by the
reserve()
method) to get the value of those HTTP headers:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
// src/Controller/ApiController.php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
class ApiController extends AbstractController
{
public function index(Request $request, RateLimiterFactoryInterface $anonymousApiLimiter): Response
{
$limiter = $anonymousApiLimiter->create($request->getClientIp());
$limit = $limiter->consume();
$headers = [
'X-RateLimit-Remaining' => $limit->getRemainingTokens(),
'X-RateLimit-Retry-After' => $limit->getRetryAfter()->getTimestamp() - time(),
'X-RateLimit-Limit' => $limit->getLimit(),
];
if (false === $limit->isAccepted()) {
return new Response(null, Response::HTTP_TOO_MANY_REQUESTS, $headers);
}
// ...
$response = new Response('...');
$response->headers->add($headers);
return $response;
}
}
Storing Rate Limiter State
All rate limiter policies require to store their state (e.g. how many hits were
already made in the current time window). By default, all limiters use the
cache.rate_limiter
cache pool created with the Cache component.
This means that every time you clear the cache, the rate limiter will be reset.
You can use the cache_pool
option to override the cache used by a specific limiter
(or even create a new cache pool for it):
1 2 3 4 5 6 7 8
# config/packages/rate_limiter.yaml
framework:
rate_limiter:
anonymous_api:
# ...
# use the "cache.anonymous_rate_limiter" cache pool
cache_pool: 'cache.anonymous_rate_limiter'
Note
Instead of using the Cache component, you can also implement a custom
storage. Create a PHP class that implements the
StorageInterface and
use the storage_service
setting of each limiter to the service ID
of this class.
Using Locks to Prevent Race Conditions
Race conditions can happen when the same rate limiter is used by multiple simultaneous requests (e.g. three servers of a company hitting your API at the same time). Rate limiters use locks to protect their operations against these race conditions.
By default, if the lock component is installed, Symfony uses the
global lock configured by framework.lock
, but you can use a specific
named lock via the lock_factory
option (or none
at all):
1 2 3 4 5 6 7 8 9 10 11
# config/packages/rate_limiter.yaml
framework:
rate_limiter:
anonymous_api:
# ...
# use the "lock.rate_limiter.factory" for this limiter
lock_factory: 'lock.rate_limiter.factory'
# or don't use any lock mechanism
lock_factory: null
7.3
Before Symfony 7.3, configuring a rate limiter and using the default configured
lock factory (lock.factory
) failed if the Symfony Lock component was not
installed in the application.
Compound Rate Limiter
7.3
Support for configuring compound rate limiters was introduced in Symfony 7.3.
You can configure multiple rate limiters to work together:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
# config/packages/rate_limiter.yaml
framework:
rate_limiter:
two_per_minute:
policy: 'fixed_window'
limit: 2
interval: '1 minute'
five_per_hour:
policy: 'fixed_window'
limit: 5
interval: '1 hour'
contact_form:
policy: 'compound'
limiters: [two_per_minute, five_per_hour]
Then, inject and use as normal:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
// src/Controller/ContactController.php
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
class ContactController extends AbstractController
{
public function registerUser(Request $request, RateLimiterFactoryInterface $contactFormLimiter): Response
{
$limiter = $contactFormLimiter->create($request->getClientIp());
if (false === $limiter->consume(1)->isAccepted()) {
// either of the two limiters has been reached
}
// ...
}
// ...
}