Rate Limiting API Requests
Table of Contents
The Magento API is most commonly used when a store is integrated with a 3rd party platform (eg. EPOS/ERP/Multi-channel), it is also a slow component of a Magento store, being particularly heavy on both PHP processes and MySQL.
It is possible (and common) for external services to heavily leverage the Magento API and do so without care or potential impact on the store itself. This can lead to excessive resource consumption, subsequent downtime and potential loss of sales. Avoiding this occurring is important.
MageStack includes a facility to deliberately slow the rate of API requests, to ensure a production store remains unaffected by an aggressive API connection. The rate limit is applied per IP address, so setting a limit will only restrict request rate from a single location. If you have multiple API connections, they will maintain their own independent limit.
Options
Five different rate limits are available,
Rate Limit | Flag |
---|---|
1 per second (1 / 1s) | one_per_second |
12 per minute (1 / 5s) | one_per_five_seconds |
6 per minute (1 / 10s) | one_per_ten_seconds |
2 per minute (1 / 30s) | one_per_thirty_seconds |
1 per minute (1 / 60s) | one_per_sixty_seconds |
Enabling API Rate Limiter
To enable rate limiting of API requests, you only need to set a single variable in your vhosts configuration,
Edit your ___general/example.com.conf
(where example.com is your chosen domain), and add
set $magestack_api_limit one_per_thirty_seconds;
Then restart Nginx via Monit.
The flag (one_per_thirty_seconds
in the example above), can be changed to any of the available flags. Using an invalid flag will result in the rate limiter being disabled.
Examples
Rate limit API to 1 request per 10 seconds
set $magestack_api_limit one_per_ten_seconds;
Conditionally Rate limit by IP to 1 request per 10 seconds
if ($remote_addr ~* "192\.168\.1\.1") {
set $magestack_api_limit one_per_ten_seconds;
}
Conditionally Rate limit by user agent to 1 request per 10 seconds
if ($http_user_agent ~* "YandexBot") {
set $magestack_api_limit one_per_ten_seconds;
}