ASP. Net core uses fixed window to limit current


Algorithm principle

Fixed window algorithm, also known as counter algorithm, is a simple current limiting algorithm. Set a threshold value and a count value in the unit time. Each time a request is received, the count value will be increased by one. If the count value exceeds the threshold value, the current limit will be triggered. If it cannot be reached, the request will be processed normally. After entering the next unit time, the count value will be cleared and accumulated again.

As shown in the above figure, the time unit is 1 second and the threshold is 3.

  • Three requests in the first second will not trigger current limiting;
  • One request in the second second will not trigger current limiting;
  • There are four requests in the third second. The first three requests in this second are processed normally. The fourth request triggers current limiting and will be rejected for processing.
  • Current limiting will not be triggered in the following 4th and 5th seconds, and all requests will be processed normally.

Algorithm implementation

Here are two implementation methods: in-process memory fixed window algorithm and redis based fixed window algorithm.

In process memory fixed window algorithm

Using the dictionary, key is the current limiting target, and value includes count value and expiration time. When processing the request, first extract the current limiting target from the request, and then look it up in the dictionary according to the current limiting target. If it does not exist, add a dictionary item, the count value is 1, and the expiration time is the current time + current limiting unit time; If it exists, check whether it has expired. If it has expired, the count value will be returned to 1. The expiration time is the current time + current limiting unit time. If it has not expired, only the count value will be added to 1. Here we need to pay attention to the problem of multithreading. We need to lock when reading and writing data.

Memorycache can be used in c# language. Its cache items have an expiration time, and there is no need to recycle expired items.

The method of in-process counting is most suitable for the program flow restriction of single instance processing. In the case of multi instance processing, the number of requests received by each instance may be uneven, which can not guarantee the flow restriction effect.

Redis based fixed window algorithm

Redis is stored as kV, which is similar to a dictionary, and also has its own expiration time. When processing the request, first extract the current limit target from the request, and then search redis according to the current limit target. If it does not exist, add kV item, the value is 1, and the expiration time is the current time + current limit unit time; If present, the value is incremented by 1.

These operation logic can be encapsulated in a Lua script. Because Lua script is also an atomic operation when executed in redis, the current limit count of redis is naturally accurate in distributed processing.

Algorithm application

Here, the current limiting component fireflysoft As an example, rate limit is implemented by ASP Net core.

1. Install nuget package

There are many installation methods. Just choose what you like.

Package manager command:

Install-Package FireflySoft.RateLimit.AspNetCore

Or Net command:

dotnet add package FireflySoft.RateLimit.AspNetCore

Or add the project file directly:


<PackageReference Include=”FireflySoft.RateLimit.AspNetCore” Version=”2.*” />


2. Using middleware

Using middleware in startup, the demonstration code is as follows (detailed description will be given below):

public void ConfigureServices(IServiceCollection services)
           app.AddRateLimit(new InProcessFixedWindowAlgorithm(
                new[] {
                    new FixedWindowRule()
                        ExtractTarget = context =>
                        		//Extract current limiting target
                            return (context as HttpContext).Request.Path.Value;
                        CheckRuleMatching = context =>
                        		//Judge whether the current request needs current limiting processing
                            return true;
                        Name="fixed window limit rule",
                        Limitnumber = 30, // current limiting threshold
                        StatWindow=TimeSpan. Fromseconds (1) // current limiting unit time

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

As above, you need to register the service first, and then use the middleware.

When registering a service, you need to provide a current limiting algorithm and corresponding rules:

  • Here, the in-process fixed window algorithm inprocessfixedwindow algorithm and redisfixedwindow algorithm can be used. A redis connection needs to be passed in.
  • The current limiting threshold is 30 and the current limiting unit time is 1 second.
  • Extracttarget is used to extract the current limiting target. Here is each different request path. If there is an IO request, the corresponding asynchronous method extracttargetasync is also supported here.
  • Checkrulematching is used to verify whether the current request is flow limited. If there is an IO request, the corresponding asynchronous method checkrulematchingasync is also supported here.
  • By default, httpstatuscode 429 will be returned when the current is limited. You can customize this value with the optional parameter error when addratelimit, as well as the contents in the HTTP header and body.

The basic use is the above example.

If it is still based on tradition Net framework, you need to_ A message processor ratelimithandler is registered in start. The algorithm and rules are shared. For details, see the instructions on GitHub:

FireflySoft. Ratelimit is based on Net standard’s current limiting class library has a simple and lightweight kernel and can flexibly respond to current limiting scenarios with various requirements.

Its main features include:

  • A variety of current limiting algorithms: built-in fixed window, sliding window, leaky bucket and token bucket, which can also be customized and extended.
  • Multiple count storage: at present, memory and redis storage methods are supported.
  • Distributed friendly: support unified counting of distributed programs through redis storage.
  • Flexible current limit target: various data can be extracted from the request to set the current limit target.
  • Support flow restriction penalty: the client can be locked for a period of time after triggering flow restriction and will not be allowed to access.
  • Dynamic change rules: support dynamic change of flow restriction rules during program running.
  • Custom error: you can customize the error code and error message after triggering current limiting.
  • Universality: in principle, it can meet any scene requiring current limitation.

GitHub open source address:

This is about ASP Net core uses fixed window to limit current, which is introduced in the article. I hope it will be helpful to your study, and I hope you can support developpaer.