A high-performance, Dockerized rate limiting microservice built with Node.js, TypeScript, Redis, Lua scripting, and Redis Cluster, implementing multiple real-world algorithms used in API Gateways.
- ๐ Table of Contents
- โญ Features
- ๐ Tech Stack
- ๐งฉ Architecture Overview
- ๐ง Rate Limiting Algorithms (Full Details)
- ๐ฅ API Endpoints
- ๐ฆ Example Response
- ๐ณ Setup & Installation
- ๐งช Testing & Load Scenarios
- ๐ฌ Postman Collection
- ๐งญ Roadmap
- ๐ License
- ๐ค Contributing
- โญ Show Your Support
โ Implements four industry-standard algorithms:
- Fixed Window
- Sliding Window
- Token Bucket
- Leaky Bucket
โ Redis Cluster support for high scalability
โ Atomic operations using Lua
โ /metrics endpoint aggregates: allowedRequests, blockedRequests, tokensRemaining, resetTime, totalRequests
โ Dockerized microservice
โ Basic Auth (for testing)
โ Modular folder structure
- Sliding Window Log algorithm
- Load balancing layer
- API Keys & RBAC (Redis-only possible)
- Middleware-level caching
- Gateway features:
- rate limiting
- authentication
- load balancing
- circuit breaking
- Prometheus/Grafana dashboards
- Distributed tracing (OpenTelemetry)
Node.js โข TypeScript โข Express.js โข Redis / Redis Cluster โข Lua โข Zod โข Docker & Docker Compose
Client โ API Gateway (future) โ Rate Limiter Service โ Redis / Redis Cluster
- Each algorithm uses:
- Dedicated Redis keys
- Atomic Lua scripts
- Isolated logic for dashboard comparison
1๏ธโฃ Fixed Window Algorithm
The Fixed Window algorithm assigns a fixed number of allowed requests inside a fixed time window.
- Example: 10 requests per 60 seconds
- Requests exceeding limit โ blocked
- Counter resets when next window starts
- 10 requests at 59th sec + 10 at 1st sec of next window โ 20 requests in 2 sec โ possible overload
- Reason: tracks only current window, not the last 60 seconds
2๏ธโฃ Token Bucket Algorithm
Stores requests as tokens in a bucket.
- Bucket has fixed capacity
- Tokens refill at a fixed rate
- Each request consumes 1 token
- If tokens exist โ request allowed, else blocked
- Supports bursts up to bucket capacity
- Smooth traffic control
- Capacity = 10 tokens, Refill = 1 token/sec
- 10 requests โ allowed
- 11th โ blocked
- After 1 sec โ 1 token refills โ allowed
3๏ธโฃ Leaky Bucket Algorithm
Ensures constant output rate.
- Requests enter a queue (bucket)
- Processed at fixed leak rate
- If bucket full โ request rejected
- Smooth & uniform traffic
- Prevents burst attacks
- Protects server load
- No bursts allowed
- Example: Leak rate = 5 req/sec โ 100 requests arrive โ only 5 processed/sec, rest queued/rejected
4๏ธโฃ Sliding Window Algorithm
Improves Fixed Window by tracking requests in the last N seconds, not fixed blocks.
- Fairer distribution
- Prevents burst issues at window edges
| Method | Endpoint | Description |
|---|---|---|
POST |
/api/limiter/test |
Fixed Window |
POST |
/api/limiter/sliding |
Sliding Window |
POST |
/api/limiter/tokenbucket |
Token Bucket |
POST |
/api/limiter/leakybucket |
Leaky Bucket |
POST |
/api/limiter/all |
Run all algorithms together |
GET |
/api/limiter/metrics |
Get aggregated metrics |
{
"activeKeys": 1,
"response": {
"allowed": true,
"remaining": 9,
"resetTime": 1703174400
},
"blockedRequests": 27,
"allowedRequests": 67,
"totalRequests": 94
}# Clone the repository
git clone https://github.com/Anshikakalpana/rate-limiter
cd rate-limiter
# Start with Docker Compose
docker compose up --buildStarts:
- Redis Cluster
- Node.js server
- Lua scripts loaded automatically
Test bursts, allowed vs blocked, algorithm comparison via /metrics
Tools: Postman Runner, k6, Artillery, JMeter
Postman collection to test all endpoints
- Sliding Window Log algorithm
- API Keys & RBAC (Redis-only)
- Middleware caching
- Load balancing
- Circuit breaking
- Prometheus/Grafana dashboards
- Distributed tracing (OpenTelemetry)
MIT License โ free for personal & commercial use.
Contributions, issues, and feature requests are welcome!
Feel free to check the issues page.
Give a โญ๏ธ if this project helped you!
Made with โค๏ธ by Anshika Kalpana