堆栈内存溢出
  简体   繁体   English

如何对公共API进行速率限制?

[英]How do I rate limit a public API?

 原文  2011-02-03 22:19:57       php/ api/ rate-limiting

问题描述

I have an algorithm that receives input and delivers output which I would like developers to use like an API. 我有一个接收输入并提供输出的算法,我希望开发人员像API一样使用它。 To prevent denial of service attack and excessive overuse, I want some rate limits or protection. 为了防止拒绝服务攻击和过度使用,我想要一些速率限制或保护。 What options do I have? 我有什么选择? Do I provide accounts and API keys? 我是否提供帐户和API密钥? How would that generally work? 这通常有用吗? And what other ideas are possible for this scenario? 还有什么其他想法可以用于这种情况?

3 个解决方案

解决方案1
 4 已采纳  2011-02-03 22:38:14

Accounts and API keys does sound like a good idea, if nothing else it stops people other than your intended developers being able to access your API. 帐户和API密钥确实听起来不错,如果没有别的东西阻止除了您的目标开发人员能够访问您的API之外的其他人。

It should be fairly straightforward to have a simple database table logging the last time a particular API was accessed, and denying re-use if it is accessed too many times in a certain time frame. 在上次访问特定API时记录一个简单的数据库表应该相当简单,如果在特定时间范围内访问过多次,则拒绝重复使用。 If possible, return the next time the API will be available for re-use in the output, so developers can throttle accordingly, instead of having to go for a trial and error approach. 如果可能的话,在下次API可用于在输出中重复使用时返回,因此开发人员可以相应地进行限制,而不必采用试错法。

Are you expecting the same inputs to be used over and over again or will it be completely random? 您是期望一遍又一遍地使用相同的输入还是完全随机? What about caching the output and only serving the cache to the developer(s) until the API is ready for re-use? 在API准备好重用之前,如何缓存输出并仅向开发人员提供缓存? This approach is far less dependent on accounts and keys too. 这种方法也很少依赖于帐户和密钥。

解决方案2
 3  2012-06-03 07:52:44

API keys can definitely be a good way to go, there is also openAuth ( http://oauth.net ) if you scenarios where end users will be accessing the service via apps built by third parties. API密钥肯定是一个很好的方法,如果最终用户将通过第三方构建的应用程序访问服务,则还有openAuth( http://oauth.net )。

If you don't want to code the rate limits / key management yourself, it's worth taking a look at http://www.3scale.net/ which does a lot of this free out of the box as a service (plus other stuff including a developer portal, billing and so on). 如果您不想自己编写速率限制/密钥管理代码,那么值得一看http://www.3scale.net/ ,它可以提供大量免费开箱即用的服务(以及其他内容)包括开发人员门户,计费等)。 As a disclaimer, I work there so I might have some bias but we try to make exactly this as simple as possible! 作为免责声明,我在那里工作,所以我可能会有一些偏见,但我们尽量使这个变得尽可能简单!

I should add, there's a PHP plugin for 3scale which you can drop into your code and that'll enable all the rate limits etc. 我应该补充说,有一个3scalePHP插件 ,您可以将其放入您的代码中,并启用所有速率限制等。

解决方案3
 1  2011-02-03 22:46:03

other options that are slightly less complex at the expense of accuracy is using the ip address. 其他选项虽然稍微复杂一些但是以牺牲准确性为代价是使用ip地址。 obviously this is easier to overcome, but for the average user that does not know what an ip address is it works. 显然这更容易克服,但对于不知道IP地址是什么的普通用户来说。 Also easy to set up. 也很容易设置。

it all depends on the complexity of the app and the amount of time you got to do it in 这一切都取决于应用程序的复杂性和你完成它的时间

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在没有限制费率问题的情况下关注使用Instagram API的用户? - How can I follow users using the instagram API without the limit rate issue? Dailymotion API上传速率限制 - Upload rate limit on Dailymotion API 速率限制。 Twitter API - Rate limit. Twitter API 超过速率限制后如何撤销Twitter API请求? - How to revoke twitter API request after rate limit exceed? 未登录用户的速率限制? - How to do Rate limit for non-logged in user? 具有基本身份验证的用户的 Laravel 速率限制 api - Laravel Rate limit api by user with basic auth 多个用户的Twitter API速率限制 - Twitter API Rate Limit for Multiple Users Twitter搜索API速率限制Zend - Twitter Search API Rate Limit Zend Google抓取导致API速率限制 - Google Crawl Causing API rate limit Open Library Covers API速率限制 - Open Library Covers API Rate Limit
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM