Skip to content

feat(gateway): add per-app connection rate limiting #482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kvinwang merged 1 commit into from
Feb 2, 2026
Merged

feat(gateway): add per-app connection rate limiting #482

kvinwang merged 1 commit into from
Feb 2, 2026

Conversation

@kvinwang
Copy link
Collaborator

@kvinwang kvinwang commented Jan 28, 2026
edited
Loading

Summary

Add configurable maximum concurrent connections per app to prevent a single slow or overloaded app from exhausting system resources (especially upstream port pool) and affecting other apps.

  • Add max_connections_per_app config option in [core.proxy] section
  • Default value: 2000 connections per app
  • Set to 0 for unlimited (not recommended in production)
  • Check connection count before establishing new backend connections
  • Log warning when rate limit is exceeded

Background

When an app becomes slow or overloaded, connections to it accumulate and don't release promptly. This can exhaust the upstream load balancer's port pool (since all connections come from the same source IP), causing connection failures for ALL apps - not just the problematic one.

This rate limiting ensures that a single misbehaving app cannot monopolize resources and impact the entire gateway.

Configuration

[core.proxy]
# Maximum concurrent connections per app. 0 means unlimited.
max_connections_per_app = 2000

Test Results

Tested on TDX host with gateway CVM (10.20.0.124:14100, max_connections_per_app = 50) and echo CVM (ports 5001-5005).

Test 1: 30 connections (within limit)

  • Result: 30/30 all succeeded, 0 errors

Test 2: 100 connections (exceeding limit)

  • TCP+TLS: 100/100 succeeded (rate limit applies at backend connection stage, not TLS handshake)
  • Active (got upstream response): 50 — exactly at the limit
  • Upstream errors: 50 — excess connections rejected
  • Gateway logs WARN correctly: app connection limit exceeded app_id="..." total=50 max_connections=50
=== Final Stats ===
TCP connected:   100
TLS completed:   100
Active (got response): 50
Closed:          50
Err upstream:    50

Conclusion

Rate limiting works as expected, precisely capping concurrent backend connections per app. Excess connections are rejected after TLS handshake but before backend connection establishment.

@kvinwang kvinwang force-pushed the feat/gateway-rate-limit branch from 2eafdc5 to fb2b6bd Compare January 28, 2026 09:54
@kvinwang
feat(gateway): add per-app connection rate limiting
ec4c463 
Add configurable maximum concurrent connections per app to prevent a single
slow or overloaded app from exhausting system resources and affecting other
apps.

- Add `max_connections_per_app` config option (default: 2000, 0 = unlimited)
- Check connection count before establishing new backend connections
- Log warning when rate limit is exceeded
@kvinwang kvinwang force-pushed the feat/gateway-rate-limit branch from fb2b6bd to ec4c463 Compare January 28, 2026 10:28
@kvinwang kvinwang closed this Feb 2, 2026
@kvinwang kvinwang reopened this Feb 2, 2026
@kvinwang kvinwang merged commit 3967eff into master Feb 2, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvinwang