|
|
|
|
|
|
by throwaway2016a
2890 days ago
|
|
|
For read and search operations I typically rate limit per machine based on probability that machine gets hit using machine signature. And as a secondary (more leniant metric, just IP). I don't centrally track rates unless a signature comes close to 1/N the limit where N is the number of nodes. At which point I will talk to the other nodes Peer to Peer. Can still be abused but works pretty well most of the time. It also doesn't work if you have a number of nodes that is approximating your rate limit because if you do, you hit 1/N on request #1. For that reason I tend to choose pretty lenient rate limits (call it one request a second with bursts in a 5 minute window) For write I use OAuth2 with bearer tokens being a JWT token with a short expiry. I only need to maintain a blacklist of invalidated tokens for the length of the expiry. Rate limiting would work the same way as reads. |
|
|