Configure Custom Rate Limiting using Custom Plugins

[sedkis]

User description

Contributor checklist

• Reviewed PR Code suggestions and updated accordingly
• Tyklings: Labled the PR with the relevant releases
• Tyklings: Added Jira DX PR ticket to the subject

---

New Contributors

• Start the PR branch from our latest master
• I have read the repository contribution guidelines
• I have read the repository technical guidelines

---

---

PR Type

Documentation

---

Description

• Add Go plugin rate limiter example

• Demonstrate IP-based rate limit via metadata

• Clarify usage with custom auth plugins

• Reinforce session setup for rate limiting

---

Diagram Walkthrough

flowchart LR
  A["Custom Go plugin"] -- "extract RealIP" --> B["Build SessionState"]
  B -- "set rate/per + AccessRights" --> C["Set MetaData rate_limit_pattern"]
  C -- "ctx.SetSession(...)" --> D["Tyk Gateway rate limiter"]
  D -- "enforces per pattern/IP" --> E["Protected upstream"]

Loading

File Walkthrough

	Relevant files
Documentation	rate-limit.md Add Go example for IP-based rate limiting                                tyk-docs/content/api-management/rate-limit.md Add "Custom Plugin Rate Limiter Example" section. Provide Go code for IP-based rate limiting. Show session metadata usage (rate_limit_pattern). Explain integration with custom authentication plugins. +43/-0

---

[github-actions]

⚠️ Deploy preview for PR #6950 did not become live after 3 attempts.
Please check Netlify or try manually: Preview URL

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Code Accuracy The Go snippet references symbols like ctx.GetDefinition, request.RealIP, user.SessionState, and ctx.SetSession without imports or context; verify these match actual Tyk Go plugin SDK APIs and recommended method names (e.g., tykContext vs ctx, real IP extraction helper) to avoid misleading readers. ```go // IP Rate Limiter func Authenticate(rw http.ResponseWriter, r *http.Request) { requestedAPI := ctx.GetDefinition(r) if requestedAPI == nil { logger.Error("Could not get API Definition") rw.WriteHeader(http.StatusInternalServerError) return } realIp := request.RealIP(r) sessionObject := &user.SessionState{} sessionObject = &user.SessionState{ OrgID: requestedAPI.OrgID, Rate: 2, Per: 5, AccessRights: map[string]user.AccessDefinition{ requestedAPI.APIID: { APIID: requestedAPI.APIID, }, }, MetaData: map[string]interface{}{ "rate_limit_pattern": realIp, }, } logger.Info("Session Alias: ", sessionObject.Alias) // Set session state using session object ctx.SetSession(r, sessionObject, false) logger.Info("Session created for request") } </details> <details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/6950/files#diff-f3fc2340f09caaef97b04c1e624a0ef0fca285bbf9ce7f7a5a74ee067422575dR353-R386'><strong>Example Completeness</strong></a> The example sets Rate/Per and AccessRights but doesn’t show required imports, plugin hook signature, or how to attach the session to the request lifecycle; consider adding minimal imports and noting required plugin type and return behavior. </summary> ```markdown ```go // IP Rate Limiter func Authenticate(rw http.ResponseWriter, r *http.Request) { requestedAPI := ctx.GetDefinition(r) if requestedAPI == nil { logger.Error("Could not get API Definition") rw.WriteHeader(http.StatusInternalServerError) return } realIp := request.RealIP(r) sessionObject := &user.SessionState{} sessionObject = &user.SessionState{ OrgID: requestedAPI.OrgID, Rate: 2, Per: 5, AccessRights: map[string]user.AccessDefinition{ requestedAPI.APIID: { APIID: requestedAPI.APIID, }, }, MetaData: map[string]interface{}{ "rate_limit_pattern": realIp, }, } logger.Info("Session Alias: ", sessionObject.Alias) // Set session state using session object ctx.SetSession(r, sessionObject, false) logger.Info("Session created for request") } </details> <details><summary><a href='https://github.com/TykTechnologies/tyk-docs/pull/6950/files#diff-f3fc2340f09caaef97b04c1e624a0ef0fca285bbf9ce7f7a5a74ee067422575dR363-R377'><strong>IP Extraction</strong></a> Using request.RealIP may not account for proxies/X-Forwarded-For; clarify trusted proxy settings and which header/gateway config is used to derive the client IP to prevent incorrect rate limiting. </summary> ```markdown realIp := request.RealIP(r) sessionObject := &user.SessionState{} sessionObject = &user.SessionState{ OrgID: requestedAPI.OrgID, Rate: 2, Per: 5, AccessRights: map[string]user.AccessDefinition{ requestedAPI.APIID: { APIID: requestedAPI.APIID, }, }, MetaData: map[string]interface{}{ "rate_limit_pattern": realIp, },

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Use a safe client IP source Avoid using client-provided headers blindly for IP extraction, as RealIP may be spoofable if proxy headers aren't trusted/sanitized. Use a trusted proxy chain or gateway-provided remote address to derive the client IP safely. tyk-docs/content/api-management/rate-limit.md [363] -realIp := request.RealIP(r) +// Derive client IP safely; avoid trusting unvalidated headers +realIp := r.RemoteAddr +if ip, _, err := net.SplitHostPort(realIp); err == nil { + realIp = ip +} Suggestion importance[1-10]: 6 __ Why: Highlights potential spoofing risk when using request.RealIP(r) and proposes a safer baseline using RemoteAddr; useful but context-dependent in docs and may vary with trusted proxy setup.	Low
General	Remove redundant initialization Remove the redundant initialization of sessionObject to prevent confusion and ensure the intended object is used. Initialize it once directly with the struct literal. tyk-docs/content/api-management/rate-limit.md [365-378] -sessionObject := &user.SessionState{} -sessionObject = &user.SessionState{ +sessionObject := &user.SessionState{ OrgID: requestedAPI.OrgID, Rate: 2, Per: 5, AccessRights: map[string]user.AccessDefinition{ requestedAPI.APIID: { APIID: requestedAPI.APIID, }, }, MetaData: map[string]interface{}{ "rate_limit_pattern": realIp, }, } Suggestion importance[1-10]: 5 __ Why: Correctly identifies and removes an unnecessary pre-initialization of sessionObject, improving clarity without changing behavior.	Low

[github-actions]

Code Review: PR #6950 - Update rate-limit.md

Overview

This PR adds a new "Custom Plugin Rate Limiter Example" section to the rate-limit.md documentation, demonstrating how to implement IP-based rate limiting using a custom Go plugin.

Technical Assessment

The code example provided is technically sound and follows Tyk's best practices:

1. Proper IP extraction: Uses request.RealIP(r) which correctly handles proxies and X-Forwarded-For headers.

2. Correct session configuration:

   • Sets appropriate rate limits (2 requests per 5 seconds)
   • Properly configures AccessRights for the API
   • Correctly uses the rate_limit_pattern metadata field

3. Integration with Tyk's rate limiting system:

   • Properly calls ctx.SetSession(r, sessionObject, false) to associate the session with the request
   • Demonstrates how Tyk's rate limiting will be applied per IP rather than per token

4. Documentation value:

   • Fills a gap in the existing documentation, which previously stated IP-based rate limiting was "not yet" possible (with only JavaScript middleware mentioned as a workaround)
   • Provides a clear, practical example that users can adapt for their own needs

Diagram Accuracy

The included mermaid diagram accurately represents the flow:

1. Custom Go plugin extracts the real IP
2. Builds a SessionState with rate/per and AccessRights
3. Sets the MetaData rate_limit_pattern
4. Uses ctx.SetSession to pass to Tyk Gateway rate limiter
5. Gateway enforces rate limits per pattern/IP

Conclusion

This PR provides valuable documentation that clearly demonstrates how to implement IP-based rate limiting using custom Go plugins. The code is technically accurate and follows best practices. I recommend approving this PR.

---

Tip: Mention me again using /probe <request>.
Powered by Probe AI

[netlify]

✅ PS. Add to the end of url /docs/nightly

Name	Link
🔨 Latest commit	972225b
🔍 Latest deploy log	https://app.netlify.com/projects/tyk-docs/deploys/68e51c4a42e2a6000809b4bc
😎 Deploy Preview	https://deploy-preview-6950--tyk-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[andyo-tyk]

Please check the accuracy of some of my suggestions - in particular regarding multi-auth

[sharadregoti]

/release to release-5.8

[sharadregoti]

/release to release-5.9

[tykbot]

Working on it! Note that it can take a few minutes.

[tykbot]

Working on it! Note that it can take a few minutes.

[tykbot]

@sharadregoti Created merge PRs

[tykbot]

@sharadregoti Created merge PRs