Rate Limiting API Requests

The Magento API is most commonly used when a store is integrated with a 3rd party platform (eg. EPOS/ERP/Multi-channel), it is also a slow component of a Magento store, being particularly heavy on both PHP processes and MySQL.

It is possible (and common) for external services to heavily leverage the Magento API and do so without care or potential impact on the store itself. This can lead to excessive resource consumption, subsequent downtime and potential loss of sales. Avoiding this occurring is important.

MageStack includes a facility to deliberately slow the rate of API requests, to ensure a production store remains unaffected by an aggressive API connection. The rate limit is applied per IP address, so setting a limit will only restrict request rate from a single location. If you have multiple API connections, they will maintain their own independent limit.

Options

Five different rate limits are available,

Rate Limit Flag
1 per second (1 / 1s) one_per_second
12 per minute (1 / 5s) one_per_five_seconds
6 per minute (1 / 10s) one_per_ten_seconds
2 per minute (1 / 30s) one_per_thirty_seconds
1 per minute (1 / 60s) one_per_sixty_seconds

Enabling API Rate Limiter

To enable rate limiting of API requests, you only need to set a single variable in your vhosts configuration,

Edit your ___general/example.com.conf (where example.com is your chosen domain), and add

set $magestack_api_limit one_per_thirty_seconds;

Then restart Nginx via Monit.

The flag (one_per_thirty_seconds in the example above), can be changed to any of the available flags. Using an invalid flag will result in the rate limiter being disabled.

Examples

Rate limit API to 1 request per 10 seconds

set $magestack_api_limit one_per_ten_seconds;

Conditionally Rate limit by IP to 1 request per 10 seconds

if ($remote_addr ~* "192\.168\.1\.1") {
  set $magestack_api_limit one_per_ten_seconds;
}

Conditionally Rate limit by user agent to 1 request per 10 seconds

if ($http_user_agent ~* "YandexBot") {
  set $magestack_api_limit one_per_ten_seconds;
}