Skip to main content

Module limiter

edgeguard

Module limiter 

Source
Expand description

Distributed (shared-store) rate limiting (Phase 4 / v2).

The default limiter (ratelimit.store = "local") is the in-process governor limiter wired up in [crate::lib]; it is fast and dependency-free but counts per replica, so three instances behind a load balancer allow 3× the configured rate. This module adds a shared-store limiter so N replicas enforce one global limit.

The design separates the algorithm from the store:

  • [gcra_admit] is the pure GCRA (Generic Cell Rate Algorithm — the same family governor uses) decision: given the stored theoretical-arrival-time (TAT) and now, return the new TAT to persist, or None to reject. It is exhaustively unit-tested with no clock or I/O.
  • A [Store] performs that decision atomically against shared state. [Store::Memory] is an in-process map (a reference backend, used by the tests and valid for a single replica); [Store::Redis] runs the same GCRA as a Lua script inside Redis, so the check-and-set is atomic across replicas.

Honesty note (mirrors ACME): the Redis backend is implemented and compiled, but a live Redis can’t be reached from the in-process test suite, so the Redis transport is not exercised by cargo test — only the GCRA core and the in-memory store are. See docs/ROADMAP.md Phase 4. On a store error the limiter fails closed (503) unless ratelimit.fail_open is set; this is the failure path the removed fail_mode knob was always meant to govern.

Shared-store limiting assumes replica clocks are roughly in sync (NTP); the TAT is an absolute wall-clock time in microseconds.

Structs§

DistributedLimiter
Shared-store rate limiter: the distributed counterpart of the three governor limiters. Holds the GCRA params for the global per-IP limit, the per-route overrides, and the per-key limit, plus the backing [Store] and the fail-open policy.
Gcra
GCRA parameters for one limit, in microseconds. emission_interval is the steady-state time per request (period / count); tolerance is how far the TAT may run ahead of now before a request is rejected (emission_interval * burst), i.e. the burst allowance.

Enums§

Admit
The outcome of consulting a limiter.
StoreMode
Which backend holds limiter state. Parsed from ratelimit.store.