Production-ready rate limiting and abuse detection microservice built with Node.js, TypeScript, Redis, and Docker. Protect your APIs from abuse with distributed rate limiting, IP banning, and real-time monitoring.
Backend API: https://api-rate-guardian-1.onrender.com
Admin UI: Run locally or deploy to Vercel (see instructions below)
API Rate Guardian is a specialized microservice designed to protect your APIs from abuse, DDoS attacks, and excessive traffic. Built with enterprise-grade patterns, it provides distributed rate limiting using Redis, making it perfect for multi-instance deployments.
- π JWT Authentication: Secure admin access with token-based auth
- π¦ Redis-Backed Rate Limiting: Distributed, accurate rate limiting across all instances
- π IP Ban System: Block and unblock abusive IPs with API or UI
- π Real-Time Stats: Monitor requests, rate limits, and banned IPs
- π§ Admin Dashboard: Web-based control panel for system management
- β‘ High Performance: Handles 1000+ req/s with minimal latency
- π³ Docker Ready: Complete containerization with docker-compose
- π§ͺ Production Tested: Live deployment on Render with Redis Cloud
π Node.js 18+ (Runtime)
π TypeScript 5+ (Type Safety)
π Express.js (Web Framework)
π΄ Redis 7+ (Rate Limiting Store)
π¦ ioredis (Redis Client)
π jsonwebtoken (JWT Auth)
π‘οΈ helmet (Security Headers)
π express-rate-limit (Base Rate Limiting)
βοΈ React 18 (UI Library)
π¨ Tailwind CSS (Styling)
π Chart.js (Data Visualization)
π Axios (API Client)
π³ Docker + Docker Compose
βοΈ Render (Backend Hosting)
π΄ Redis Cloud (Managed Redis)
π Winston (Logging)
βββββββββββββββ
β Client β
ββββββββ¬βββββββ
β
βΌ
βββββββββββββββββββββββ
β Express API β
β (Rate Guardian) β
βββββββββββββββββββββββ€
β JWT Auth Middleware β
β Rate Limiter β
β Admin Routes β
ββββββββ¬βββββββββββββββ
β
βΌ
βββββββββββββββ
β Redis β
β (ioredis) β
βββββββββββββββ€
β β’ Counters β
β β’ Bans β
β β’ Stats β
βββββββββββββββ
Key Design Decisions:
- Redis as Single Source of Truth: Ensures accurate rate limiting across multiple API instances
- JWT for Admin Auth: Stateless authentication for scalability
- Sliding Window Algorithm: More accurate than fixed window, prevents burst attacks
- IP-based Tracking: Simple and effective for most use cases
Default Limits:
- 100 requests per 15 minutes per IP
- Customizable per endpoint
- Sliding window algorithm
- Burst protection
Example:
// Apply rate limiting to specific routes
app.use('/api/v1/public', rateLimiter({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: 'Too many requests, please try again later'
}));Features:
- Ban IPs permanently or temporarily
- Unban with single API call
- Automatic ban expiry
- Ban list export
API Endpoints:
# Ban an IP
POST /api/v1/admin/ban
Body: { "ip": "192.168.1.100", "reason": "Abuse detected" }
# Unban an IP
DELETE /api/v1/admin/ban/192.168.1.100
# List all banned IPs
GET /api/v1/admin/bansMetrics Tracked:
- Total requests (last 24h, 7d, 30d)
- Rate limit violations
- Banned IPs count
- Top abusive IPs
- Request distribution by endpoint
- Redis memory usage
- API response times
Dashboard Features:
- Live request counter
- Rate limit hit ratio
- Geographic IP distribution (optional)
- Historical trends (charts)
Capabilities:
- View system stats
- Monitor rate limit violations
- Ban/unban IPs manually
- Search request logs
- Configure rate limits (coming soon)
- Export data to CSV
- Node.js 18+
- Redis 7+ (local or Redis Cloud)
- Docker (optional)
- npm or yarn
1. Clone Repository
git clone https://github.com/DIYA73/api-rate-guardian.git
cd api-rate-guardian2. Install Dependencies
npm install3. Environment Setup
Create .env file:
# Server
NODE_ENV=development
PORT=5000
# Redis
REDIS_URL=redis://localhost:6379
# Or Redis Cloud:
# REDIS_URL=redis://default:password@your-redis-cloud.com:12345
# JWT
JWT_SECRET=your-super-secret-jwt-key-min-32-characters
JWT_EXPIRES_IN=24h
# Admin Credentials (for initial setup)
ADMIN_EMAIL=admin@example.com
ADMIN_PASSWORD=changeme123
# Rate Limiting
DEFAULT_RATE_LIMIT_WINDOW_MS=900000
DEFAULT_RATE_LIMIT_MAX=100
# CORS (comma-separated)
ALLOWED_ORIGINS=http://localhost:3000,http://localhost:51734. Start Redis
# Using Docker
docker run -d -p 6379:6379 redis:7-alpine
# Or use local Redis installation
redis-server5. Run Backend
# Development mode with hot reload
npm run dev
# Production mode
npm run build
npm startBackend runs on http://localhost:5000
6. Run Admin UI (Optional)
cd admin-ui
npm install
npm run devAdmin UI runs on http://localhost:3000
All-in-one command:
docker-compose up -dThis starts:
- API server on port 5000
- Redis on port 6379
- Admin UI on port 3000
api-rate-guardian/
βββ src/ # Backend source code
β βββ controllers/ # Request handlers
β β βββ auth.controller.ts
β β βββ admin.controller.ts
β β βββ stats.controller.ts
β βββ middleware/ # Express middleware
β β βββ auth.middleware.ts
β β βββ rateLimiter.middleware.ts
β β βββ ipBan.middleware.ts
β βββ routes/ # API routes
β β βββ auth.routes.ts
β β βββ admin.routes.ts
β β βββ public.routes.ts
β βββ services/ # Business logic
β β βββ redis.service.ts
β β βββ rateLimiting.service.ts
β β βββ stats.service.ts
β βββ config/ # Configuration
β β βββ redis.config.ts
β β βββ jwt.config.ts
β βββ types/ # TypeScript types
β β βββ index.d.ts
β βββ utils/ # Utilities
β β βββ logger.ts
β β βββ errors.ts
β βββ app.ts # Express app
β βββ server.ts # Entry point
β
βββ admin-ui/ # React admin dashboard
β βββ src/
β β βββ components/
β β βββ pages/
β β βββ services/
β β βββ App.tsx
β βββ public/
β β βββ screenshots/ # UI screenshots
β βββ package.json
β
βββ tests/ # Test files
β βββ unit/
β βββ integration/
β βββ e2e/
β
βββ docs/ # Documentation
β βββ API.md # API documentation
β βββ DEPLOYMENT.md # Deployment guide
β βββ ARCHITECTURE.md # Architecture details
β
βββ screenshots/ # Project screenshots
βββ .env.example # Environment template
βββ docker-compose.yml # Docker Compose config
βββ Dockerfile # Backend Dockerfile
βββ tsconfig.json # TypeScript config
βββ README.md # This file
Health Check
GET /api/v1/health
Response 200:
{
"status": "ok",
"redis": "connected",
"uptime": 3600
}Test Rate Limiting
GET /api/v1/public/test
Response 200:
{
"message": "Request successful",
"requestsRemaining": 95
}
Response 429 (Rate Limited):
{
"error": "Too many requests, please try again later",
"retryAfter": 300
}Admin Login
POST /api/v1/auth/login
Body:
{
"email": "admin@example.com",
"password": "your-password"
}
Response 200:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": "24h"
}Get System Stats
GET /api/v1/admin/stats
Authorization: Bearer <token>
Response 200:
{
"totalRequests24h": 15234,
"totalRequests7d": 98765,
"rateLimitViolations": 234,
"bannedIPs": 12,
"topAbusiveIPs": [
{ "ip": "1.2.3.4", "requests": 5000 }
],
"redisMemoryUsage": "15.2 MB"
}Ban IP Address
POST /api/v1/admin/ban
Authorization: Bearer <token>
Body:
{
"ip": "192.168.1.100",
"reason": "Excessive requests",
"duration": 3600 // seconds (optional, omit for permanent)
}
Response 201:
{
"message": "IP banned successfully",
"ip": "192.168.1.100",
"expiresAt": "2024-01-15T12:00:00Z"
}Unban IP Address
DELETE /api/v1/admin/ban/:ip
Authorization: Bearer <token>
Response 200:
{
"message": "IP unbanned successfully",
"ip": "192.168.1.100"
}List Banned IPs
GET /api/v1/admin/bans
Authorization: Bearer <token>
Response 200:
{
"bans": [
{
"ip": "192.168.1.100",
"reason": "Excessive requests",
"bannedAt": "2024-01-15T10:00:00Z",
"expiresAt": "2024-01-15T12:00:00Z"
}
]
}Get Redis Stats
GET /api/v1/admin/redis-stats
Authorization: Bearer <token>
Response 200:
{
"connected": true,
"memoryUsage": "15.2 MB",
"totalKeys": 1543,
"uptime": 86400,
"version": "7.0.5"
}
Secure JWT-based authentication
Real-time stats and monitoring
Redis health and memory usage
Ban and unban abusive IPs
# Unit tests
npm test
# Integration tests
npm run test:integration
# E2E tests
npm run test:e2e
# Coverage
npm run test:coverage# Send 150 requests to trigger rate limit
for i in {1..150}; do
curl http://localhost:5000/api/v1/public/test
doneAfter 100 requests, you'll receive:
{
"error": "Too many requests, please try again later",
"retryAfter": 300
}Backend Only:
docker build -t api-rate-guardian .
docker run -p 5000:5000 --env-file .env api-rate-guardianFull Stack (Backend + Redis + Admin UI):
docker-compose up -dProduction Deployment:
docker-compose -f docker-compose.prod.yml up -dBackend:
- Create new Web Service
- Connect GitHub repository
- Configure:
- Build Command:
npm install && npm run build - Start Command:
npm start
- Build Command:
- Add environment variables
- Deploy
Redis:
- Use Redis Cloud (free tier available)
- Or add Redis addon on Render
Admin UI:
- Deploy to Vercel
- Set
REACT_APP_API_URLto your Render backend URL
NODE_ENV=production
PORT=5000
REDIS_URL=redis://your-redis-cloud-url:port
JWT_SECRET=production-secret-min-32-characters
ALLOWED_ORIGINS=https://your-admin-ui.vercel.appBenchmarks:
- Throughput: 1,000+ requests/second
- Latency: <50ms average (p99: <100ms)
- Memory: ~100MB base (scales with Redis data)
- CPU: <10% on moderate load
Load Testing:
# Using Apache Bench
ab -n 10000 -c 100 http://localhost:5000/api/v1/public/test
# Using autocannon
npx autocannon -c 100 -d 60 http://localhost:5000/api/v1/public/testImplemented Security Measures:
- β JWT authentication for admin routes
- β Helmet.js security headers
- β CORS configuration
- β Input validation
- β Rate limiting (of course!)
- β IP-based access control
- β Environment variable secrets
- β Redis password authentication
- β HTTPS enforcement (production)
Security Headers:
{
"X-Content-Type-Options": "nosniff",
"X-Frame-Options": "DENY",
"X-XSS-Protection": "1; mode=block",
"Strict-Transport-Security": "max-age=31536000"
}- Redis-backed rate limiting
- IP ban system
- JWT authentication
- Admin API
- Docker deployment
- Live production deployment
- Admin UI enhancements
- Custom rate limit rules per endpoint
- Geographic IP tracking
- Email notifications for abuse
- API key-based rate limiting (not just IP)
- Advanced analytics dashboard
- Multi-tenancy support
- Custom rule engine (e.g., "ban if 500+ req in 1 min")
- Webhook integrations
- Machine learning-based anomaly detection
- DDoS protection layer
- GraphQL endpoint
- Prometheus metrics export
- Kubernetes deployment manifests
import axios from 'axios';
// Check if IP is banned before processing request
async function checkRateLimit(ip: string): Promise<boolean> {
try {
const response = await axios.get(
`https://api-rate-guardian-1.onrender.com/api/v1/check/${ip}`
);
return response.data.allowed;
} catch (error) {
// Fail open - allow request if rate guardian is down
return true;
}
}
// In your Express app
app.use(async (req, res, next) => {
const clientIP = req.ip;
const allowed = await checkRateLimit(clientIP);
if (!allowed) {
return res.status(429).json({ error: 'Rate limit exceeded' });
}
next();
});Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Write tests for new features
- Follow TypeScript best practices
- Update documentation
- Submit a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
DIYA73
- GitHub: @DIYA73
- LinkedIn: linkedin.com/in/didi-86b00329a
- Live Demo: api-rate-guardian-1.onrender.com
- Redis team for the amazing in-memory database
- Express.js community
- Open-source contributors
β If API Rate Guardian helps protect your APIs, please star the repository!
π¦ Protecting APIs, one request at a time.
Made with β€οΈ for developers who care about API security