Reverse Proxy and API Gateway
Reverse Proxy and API Gateway¶
Overview¶
This document covers the role of reverse proxies and the API Gateway pattern. Learn about core reverse proxy features such as SSL termination, compression, and caching, along with authentication/authorization, routing, and rate limiting algorithms.
Difficulty: βββ Estimated Learning Time: 2-3 hours Prerequisites: 04_Load_Balancing.md
Table of Contents¶
- What is a Reverse Proxy?
- Core Reverse Proxy Features
- API Gateway Pattern
- Rate Limiting
- Practice Problems
- Next Steps
- References
1. What is a Reverse Proxy?¶
1.1 Forward Proxy vs Reverse Proxy¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Forward Proxy vs Reverse Proxy β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Forward Proxy β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β "Makes requests to servers on behalf of clients" β β
β β β β
β β ββββββββ ββββββββββββ ββββββββββββ β β
β β βClientβββββΆβ Forward βββββΆβ Server β β β
β β β β β Proxy β β (Web) β β β
β β ββββββββ ββββββββββββ ββββββββββββ β β
β β β β
β β Use cases: Anonymity, access control, caching β β
β β Examples: Corporate firewall, VPN, Squid β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Reverse Proxy β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β "Handles client requests on behalf of servers" β β
β β β β
β β ββββββββ ββββββββββββ ββββββββββββ β β
β β βClientβββββΆβ Reverse βββββΆβ Backend β β β
β β β β β Proxy β β Servers β β β
β β ββββββββ ββββββββββββ ββββββββββββ β β
β β β β
β β Clients don't know the actual servers! β β
β β β β
β β Use cases: Load balancing, SSL termination, caching, securityβ β
β β Examples: Nginx, HAProxy, AWS ALB β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1.2 Reverse Proxy Architecture¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Reverse Proxy Architecture β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Internet β
β β β
β βΌ β
β ββββββββββββββββ β
β β Firewall β β
β ββββββββ¬ββββββββ β
β β β
β βΌ β
β ββββββββββββββββ β
β β Reverse β βββ SSL termination, cachingβ
β β Proxy β compression, security β
β β (Nginx) β β
β ββββββββ¬ββββββββ β
β β β
β ββββββββββββββΌβββββββββββββ β
β β β β β
β βΌ βΌ βΌ β
β ββββββββββ ββββββββββ ββββββββββ β
β β App β β App β β App β β
β β Server β β Server β β Server β β
β β 1 β β 2 β β 3 β β
β ββββββββββ ββββββββββ ββββββββββ β
β β
β Clients β Only know proxy IP, not actual server IPs β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Core Reverse Proxy Features¶
2.1 SSL/TLS Termination¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SSL Termination β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Without SSL Termination (End-to-End Encryption): β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Client βββHTTPSββββΆ Proxy βββHTTPSββββΆ Server β β
β β β β
β β β’ Certificates needed on all servers β β
β β β’ Increased server load (encryption/decryption) β β
β β β’ Complex certificate management β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β With SSL Termination (Proxy handles SSL): β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Client βββHTTPSββββΆ Proxy βββHTTPββββΆ Server β β
β β β β β
β β SSL Termination β β
β β β β
β β β’ Certificate only on proxy β β
β β β’ Reduced server load β β
β β β’ Centralized certificate management β β
β β β β
β β Nginx configuration: β β
β β server { β β
β β listen 443 ssl; β β
β β ssl_certificate /path/to/cert.pem; β β
β β ssl_certificate_key /path/to/key.pem; β β
β β β β
β β location / { β β
β β proxy_pass http://backend; # HTTP to backend β β
β β } β β
β β } β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Note: If internal network is untrusted, consider SSL Passthroughβ
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2.2 Response Compression¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Response Compression β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Save network bandwidth, improve response speed" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Before compression: 100KB HTML β β
β β After compression: 20KB (gzip) β 80% saved! β β
β β β β
β β Client Proxy Server β β
β β β β β β β
β β βββRequest βββββββββββΆβ β β β
β β β Accept-Encoding: ββββββββββββββββββββΆ β β
β β β gzip, deflate β β β β
β β β ββββββββββββββββββββ β β
β β β β Original responseβ β β
β β β β (100KB) β β β
β β β β β β β
β β ββββ Compressed βββββββ β β β
β β β Content-Encoding: β (Proxy does β β β
β β β gzip β gzip compression) β β
β β β (20KB) β β β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Nginx configuration: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β gzip on; β β
β β gzip_types text/plain text/css application/json β β
β β application/javascript text/xml; β β
β β gzip_min_length 1000; # Compress only >= 1KB β β
β β gzip_comp_level 6; # Compression level (1-9) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Compression algorithm comparison: β
β β’ gzip: Widely supported, good compression ratio β
β β’ Brotli: Better compression, modern browser support β
β β’ zstd: Fast compression/decompression, latest β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2.3 Caching¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Proxy Caching β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Return cached responses for repeated requests" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β First request (Cache Miss): β β
β β β β
β β Client βββΆ Proxy βββΆ Server β β
β β ββββββββββββββ (Store response) β β
β β βΌ β β
β β [Cache] β β
β β β β
β β Second request (Cache Hit): β β
β β β β
β β Client βββΆ Proxy β β
β β βββββ (Serve from cache, no server hit!) β β
β β β² β β
β β [Cache] β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Nginx caching configuration: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β # Define cache path β β
β β proxy_cache_path /var/cache/nginx levels=1:2 β β
β β keys_zone=my_cache:10m β β
β β max_size=10g inactive=60m; β β
β β β β
β β server { β β
β β location / { β β
β β proxy_cache my_cache; β β
β β proxy_cache_valid 200 60m; # Cache 200 for 60minβ β
β β proxy_cache_valid 404 1m; # Cache 404 for 1min β β
β β proxy_cache_use_stale error timeout; β β
β β add_header X-Cache-Status $upstream_cache_status; β β
β β proxy_pass http://backend; β β
β β } β β
β β } β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Cache status headers: β
β β’ X-Cache-Status: HIT (cache hit) β
β β’ X-Cache-Status: MISS (cache miss) β
β β’ X-Cache-Status: EXPIRED (expired) β
β β’ X-Cache-Status: STALE (using stale cache) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2.4 Security Features¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Reverse Proxy Security Features β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. IP-based Access Control β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β location /admin { β β
β β allow 10.0.0.0/8; # Allow internal network β β
β β allow 192.168.1.100; # Allow specific IP β β
β β deny all; # Deny the rest β β
β β proxy_pass http://backend; β β
β β } β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 2. Header Security β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β # Hide sensitive headers β β
β β proxy_hide_header X-Powered-By; β β
β β proxy_hide_header Server; β β
β β β β
β β # Add security headers β β
β β add_header X-Frame-Options "SAMEORIGIN"; β β
β β add_header X-Content-Type-Options "nosniff"; β β
β β add_header X-XSS-Protection "1; mode=block"; β β
β β add_header Strict-Transport-Security "max-age=31536000"; β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 3. Request Size Limits β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β client_max_body_size 10m; # Max upload size β β
β β client_body_timeout 60s; # Request body timeout β β
β β client_header_timeout 60s; # Header timeout β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 4. Hide Backend Servers β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Clients see: proxy.example.com β β
β β Actual backend: 10.0.1.5:8080 (not exposed) β β
β β β β
β β β Prevents direct attacks β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3. API Gateway Pattern¶
3.1 What is an API Gateway?¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Gateway β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Single Entry Point for microservices" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Without API Gateway: β β
β β β β
β β Client βββΆ User Service (users.example.com) β β
β β βββΆ Order Service (orders.example.com) β β
β β βββΆ Product Service (products.example.com) β β
β β β β
β β Problems: β β
β β β’ Client must know multiple service URLs β β
β β β’ Duplicated authentication logic in each service β β
β β β’ Tight coupling between client and services β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β With API Gateway: β β
β β β β
β β βββββββββββββββββββββββββββββββββ β β
β β β API Gateway β β β
β β Client βββΆβ api.example.com β β β
β β β βββββββββββββββββββββββββββ β β β
β β β β β’ Authentication/ β β β β
β β β β Authorization β β β β
β β β β β’ Routing β β β β
β β β β β’ Rate Limiting β β β β
β β β β β’ Request/Response β β β β
β β β β Transformation β β β β
β β β β β’ Logging/Monitoring β β β β
β β β βββββββββββββββββββββββββββ β β β
β β βββββββββββββββββ¬ββββββββββββββββ β β
β β β β β
β β βββββββββββββββΌββββββββββββββ β β
β β βΌ βΌ βΌ β β
β β User Service Order Service Product Service β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3.2 Core API Gateway Features¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Gateway Core Features β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Request Routing β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β /api/users/* βββββββββββΆ User Service β β
β β /api/orders/* βββββββββββΆ Order Service β β
β β /api/products/* βββββββββββΆ Product Service β β
β β /api/v2/* βββββββββββΆ New Service (version control) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 2. Authentication/Authorization β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Client βββΆ Gateway β β
β β β β β
β β ββ Verify JWT token β β
β β ββ Check API Key β β
β β ββ Handle OAuth2 β β
β β ββ Verify permissions then βββΆ Backend Serviceβ β
β β β β
β β Advantage: Remove authentication logic from backend β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 3. Request/Response Transformation β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Protocol transformation: β β
β β REST (external) βββββββββββΆ gRPC (internal) β β
β β β β
β β Data format transformation: β β
β β JSON βββββββββββΆ Protobuf β β
β β β β
β β Response aggregation: β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β GET /api/dashboard β β β
β β β β β β β
β β β ββββΆ User Service (user info) β β β
β β β ββββΆ Order Service (recent orders) β β β
β β β ββββΆ Stats Service (statistics) β β β
β β β β β β
β β β βββ Combine all responses and return ββ β β β
β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β 4. Logging and Monitoring β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β β’ Log all API calls β β
β β β’ Measure response times β β
β β β’ Monitor error rates β β
β β β’ Distributed tracing (propagate Trace IDs) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
3.3 API Gateway Product Comparison¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Gateway Product Comparison β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Kong β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Built on Nginx + Lua β β
β β β’ Rich plugin ecosystem β β
β β β’ Open source / Enterprise versions β β
β β β’ High performance β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β AWS API Gateway β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Fully managed β β
β β β’ Lambda, DynamoDB integration β β
β β β’ WebSocket support β β
β β β’ Pay-per-use pricing β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Envoy (Istio) β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Cloud native β β
β β β’ Service mesh sidecar β β
β β β’ Native gRPC support β β
β β β’ Advanced traffic management β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Nginx Plus / Nginx β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Lightweight, high performance β β
β β β’ Configuration-based (no code needed) β β
β β β’ Wide range of use cases β β
β β β’ Plus: Commercial features (health checks, monitoring) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Selection criteria: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β’ Cloud environment: AWS API Gateway, GCP Cloud Endpoints β β
β β β’ On-premises: Kong, Nginx β β
β β β’ Kubernetes: Envoy, Istio, NGINX Ingress β β
β β β’ Simple requirements: Nginx β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4. Rate Limiting¶
4.1 What is Rate Limiting?¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Rate Limiting β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Limit number of requests per time unit" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Why is it needed? β β
β β β β
β β β’ DDoS protection β β
β β β’ Service stability protection β β
β β β’ Fair resource distribution β β
β β β’ Cost control β β
β β β’ Prevent API abuse β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Limiting criteria: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β β’ By IP address: 100 req/min per IP β β
β β β’ By user: 1000 req/hour per user β β
β β β’ By API key: 10000 req/day per API key β β
β β β’ By endpoint: /login is 5 req/min β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Response headers: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β X-RateLimit-Limit: 100 # Limit β β
β β X-RateLimit-Remaining: 45 # Remaining requests β β
β β X-RateLimit-Reset: 1640000000 # Reset time (Unix) β β
β β β β
β β When limit exceeded: 429 Too Many Requests β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.2 Token Bucket¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Token Bucket Algorithm β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Allow requests if bucket has tokens, deny otherwise" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β ββββββββββββ β β
β β β Token β βββ Add tokens at constant rate β β
β β β Bucket β (e.g., 10/sec) β β
β β β βββββ β β β
β β β βββ β βββ Bucket capacity (e.g., 100) β β
β β ββββββ¬ββββββ β β
β β β β β
β β βΌ β β
β β Request βββΆ Has token? ββYesβββΆ Allow (consume token) β β
β β β β β
β β No β β
β β β β β
β β βΌ β β
β β Deny (429) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Characteristics: β
β β’ Allows bursts (if tokens accumulated in bucket) β
β β’ Average rate limiting β
β β’ Used by AWS, Stripe, etc. β
β β
β Example: β
β Bucket size: 100, Refill rate: 10/sec β
β β Can handle burst of 100 requests β
β β Then 10 requests per second β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.3 Leaky Bucket¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Leaky Bucket Algorithm β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Process requests at constant rate only (no bursts)" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Requests βββΆ ββββββββββββ β β
β β β Queue β βββ Store requests in queue β β
β β β βββββ β β β
β β β βββ β βββ Queue size limit β β
β β ββββββ¬ββββββ β β
β β β β β
β β β β β β
β β β βββββ "Leak" at constant rate β β
β β β (e.g., 10/sec) β β
β β βΌ β β
β β Processed β β
β β β β
β β When queue is full: β β
β β New request βββΆ Deny (429) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Characteristics: β
β β’ Constant output rate (traffic shaping) β
β β’ No bursts allowed β
β β’ Suitable for network traffic control β
β β
β Token Bucket vs Leaky Bucket: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Token Bucket: Allows bursts, average rate limiting β β
β β Leaky Bucket: No bursts, constant rate output β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.4 Fixed Window¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Fixed Window Algorithm β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Reset counter every time window" β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β 1-minute window, limit 100: β β
β β β β
β β 00:00 ~ 00:59 01:00 ~ 01:59 β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββ β β
β β β Count: 0 β 100 β β Count: 0 (reset) β β β
β β β βββββββββββββββββ β β βββββββββ β β β
β β ββββββββββββββββββββββ ββββββββββββββββββββββ β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Problem (boundary issue): β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β 00:00 00:30 01:00 01:30 β β
β β β β β β β β
β β ββββββββββββββββ΄βββββββββββββββ΄βββββββββββββββ β β
β β β β β β
β β βΌ βΌ β β
β β 00:30~00:59 01:00~01:29 β β
β β 100 requests 100 requests β β
β β β β
β β β 200 requests possible within 1 minute! β β
β β (00:30 ~ 01:30) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Pros: Simple implementation, memory efficient β
β Cons: Burst possible at window boundaries β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.5 Sliding Window¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Sliding Window Algorithm β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β "Window moves with time (solves boundary issue)" β
β β
β Sliding Window Log: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Store timestamp of each request β β
β β [00:30:15, 00:30:20, 00:30:45, 00:31:00, ...] β β
β β β β
β β Current time: 01:30:00 β β
β β Window: 00:30:00 ~ 01:30:00 (1 minute) β β
β β β β
β β Count requests within window β β
β β β β
β β Cons: High memory usage (store all timestamps) β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Sliding Window Counter (optimized): β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β β
β β Weighted average of previous and current window β β
β β β β
β β Current: 01:15 (1-minute window) β β
β β β β
β β βββ Previous window (00:00~01:00): 80 requests βββ€ β β
β β βββ Current window (01:00~02:00): 40 requests βββ€ β β
β β β β
β β 01:15 is 25% into current window β β
β β Weights: previous 75%, current 25% β β
β β β β
β β Estimated requests = 80 * 0.75 + 40 * 0.25 = 70 β β
β β β β
β β Pros: Memory efficient (only 2 counters) β β
β β Mitigates boundary issue β β
β β β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
4.6 Algorithm Comparison¶
| Algorithm | Burst | Memory | Accuracy | Use Case |
|---|---|---|---|---|
| Token Bucket | Allow | Small | High | API limiting |
| Leaky Bucket | No | Small | High | Traffic shaping |
| Fixed Window | Boundary burst | Small | Low | Simple implementation |
| Sliding Window | Allow | Large/Medium | High | Accurate limiting |
5. Practice Problems¶
Problem 1: Reverse Proxy Design¶
Write an Nginx configuration that satisfies the following requirements:
- HTTPS reception (port 443)
- HTTP β HTTPS redirect
- Backend: http://localhost:8080
- Gzip compression enabled
- Static file caching (1 day)
Problem 2: API Gateway Design¶
Design an API Gateway for a microservices environment.
Services: - User Service: /api/users/ - Order Service: /api/orders/ - Auth Service: /api/auth/*
Requirements: - JWT authentication (except Auth) - Rate Limiting: 1000 req/min per user - Response logging
Problem 3: Rate Limiting Selection¶
Choose an appropriate Rate Limiting algorithm for the following scenarios:
a) Public API (allow bursts, average limiting) b) Real-time streaming service c) Login endpoint (prevent brute force) d) Simple requirements, quick implementation
Problem 4: Rate Limiting Implementation¶
Implement the Token Bucket algorithm in pseudocode.
Conditions: - Bucket size: 100 - Refill rate: 10 tokens/sec
Answers¶
Problem 1 Answer¶
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# Gzip compression
gzip on;
gzip_types text/plain text/css application/json
application/javascript text/xml;
gzip_min_length 1000;
# Static file caching
location /static/ {
expires 1d;
add_header Cache-Control "public, immutable";
}
# Backend proxy
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Problem 2 Answer¶
API Gateway Design:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β API Gateway β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Receive request β
β β β
β 2. Rate Limiting check (Redis-based) β
β β key: user_id, limit: 1000/min β
β β β
β 3. Route check β
β βββ /api/auth/* β Auth Service (skip auth)β
β βββ /api/users/* β Verify JWT β User Serviceβ
β βββ /api/orders/*β Verify JWT β Order Serviceβ
β β
β 4. Response logging (ELK Stack) β
β - timestamp, user_id, path, status, β
β response_time β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
Tech stack:
- Kong Gateway + JWT Plugin + Rate Limiting Plugin
- Or AWS API Gateway + Lambda Authorizer
Problem 3 Answer¶
a) Public API: Token Bucket
- Allows bursts for better user experience
- Average rate limiting prevents abuse
b) Real-time streaming: Leaky Bucket
- Constant output rate maintains quality
- No bursts for stable transmission
c) Login: Fixed Window or Sliding Window
- Strict limiting (e.g., 5 times/min)
- Simplicity over boundary issues
d) Simple requirements: Fixed Window
- Simplest implementation
- Only needs counter + timestamp
Problem 4 Answer¶
class TokenBucket:
def __init__(self, capacity=100, refill_rate=10):
self.capacity = capacity # Max bucket size
self.refill_rate = refill_rate # Tokens added per second
self.tokens = capacity # Current token count
self.last_refill = current_time()
def allow_request(self):
self.refill()
if self.tokens >= 1:
self.tokens -= 1
return True
else:
return False
def refill(self):
now = current_time()
elapsed = now - self.last_refill
# Add tokens proportional to elapsed time
tokens_to_add = elapsed * self.refill_rate
self.tokens = min(self.capacity, self.tokens + tokens_to_add)
self.last_refill = now
# Usage example
bucket = TokenBucket(capacity=100, refill_rate=10)
if bucket.allow_request():
process_request()
else:
return 429 # Too Many Requests
6. Next Steps¶
If you've understood reverse proxies and API gateways, learn about caching strategies next.
Next Lesson¶
Related Lessons¶
- 04_Load_Balancing.md - Traffic distribution
- 07_Distributed_Cache_Systems.md - Redis, Memcached
Recommended Practice¶
- Practice Nginx reverse proxy configuration
- Install Kong Gateway and test plugins
- Implement rate limiting yourself
7. References¶
Tools¶
Documentation¶
Algorithms¶
Document Information - Last Modified: 2024 - Difficulty: βββ - Estimated Learning Time: 2-3 hours