This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Quota policy based on target endpoint response status code

Posted on 05-06-2020 05:26 PM
sanjeevtyagi
New Member
Reply posted on --/--/---- --:-- AM

Hi Community,

I want to limit only 10 request per minute, if target endpoint response was 400 or 403 in prior hit.

So if user make 11th request i dont want to hit target endpoint for a minuet and send back 429 from apigee proxy itself without calling my down-line service.

Can someone please help, how can i achieve this using the Quota Policy or any other policy.

Thanks in advance !

@anilsagar

0 6 276
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
dknezic
Staff
Reply posted on --/--/---- --:-- AM

Hi while you could have

1. a quota policy that runs after the backend conditionally when the server returns a 400/403

2. set a flag in something like memorystore for a minute when they exceed the quota

3. perform a lookup in memorystore for every incoming request before the backend to see if that user was already flagged.

what's the actual intent of doing this? a 400 or 403 implies there's something wrong with the user's request or with permissions.. presumably they'll continue to get more 400 or 403's after a minute anyway. So this doesn't help address the user's invalid request.

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to dknezic
Reply posted on --/--/---- --:-- AM

yes, What are we solving for?

0 Likes

Posted on --/--/---- --:-- AM
sanjeevtyagi
New Member
In response to dknezic
Reply posted on --/--/---- --:-- AM

Thanks @Dane for your response ,

Do we need to use KVM to store flag for the user as memorystore, or we have some other option in apigee like global variable kind of thing ? As we want to restrict the individual users based on quota, instead of the whole base path.

This use case is to limit the unauthorized (401 or 403 etc) user to hit the target endpoint and limit this kind of request at apigee gatway layer and avoid calling the target endpoint again and again.

Any suggestion is appreciated this use case.

0 Likes

Posted on --/--/---- --:-- AM
dknezic
Staff
In response to sanjeevtyagi
Reply posted on --/--/---- --:-- AM

Again, if you're trying to limit "unauthorized" requests.. Why? You just don't want to have "bad requests"? I think trying to add policies to prevent this isn't providing any actual value.

Or are you trying to make it more difficult for some kind of brute forcing / dictionary based attack of the APIs? In this case, would a malicious user just use more clients? It's not clear to me what you're intending to solve for. and is this based on actual behaviour or just trying to solve for hypothetical scenarios?

Memorystore is google cloud service. If you use the KVM, then you need to also think about how you know when the 1 minute is up for example...

0 Likes

Posted on --/--/---- --:-- AM
sanjeevtyagi
New Member
In response to dknezic
Reply posted on --/--/---- --:-- AM

I want to limit unauthorized call , and i agree malicious user can use more client etc. at-least i will try to block them at the max count of 10 in a minute

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to sanjeevtyagi
Reply posted on --/--/---- --:-- AM

Yours is a common case.

Have you seen this?

https://community.apigee.com/articles/36036/hashcash-verification-in-apigee-edge-proof-of-work.html

0 Likes