moonming/a6-plugin-limit-req
skills/a6-plugin-limit-req/SKILL.md
Skill for configuring the Apache APISIX limit-req plugin via the a6 CLI. Covers leaky-bucket rate limiting, rate/burst configuration, nodelay behavior, key types, Redis policies for distributed limiting, traffic smoothing, and common operational patterns including combination with limit-count.
tools
Updated Apr 21, 2026
$ install --global
skillsauthnpx skillsauth add moonming/a6 a6-plugin-limit-reqInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 12:33 PM4.8s1 file scanned
SKILL.md
- name:
- a6-plugin-limit-req
- description:
- >-
- version:
- 1.0.0
- author:
- Apache APISIX Contributors
- license:
- Apache-2.0
- category:
- plugin
- apisix_version:
- >=3.0.0
- plugin_name:
- limit-req
a6-plugin-limit-req
Overview
The limit-req plugin rate-limits requests using the leaky bucket algorithm.
Unlike limit-count (fixed window), it provides smooth traffic shaping by
throttling burst requests with configurable delays. This prevents traffic spikes
from overwhelming upstream services.
When to Use
- Smooth traffic to protect upstream from sudden spikes
- Enforce per-second QPS limits
- Throttle (delay) excess requests instead of rejecting them immediately
- Combine with
limit-countfor both per-second and per-hour limits
Plugin Configuration Reference
Core Fields
| Field | Type | Required | Default | Description |
|-------|------|----------|---------|-------------|
| rate | number | Yes | — | Sustained requests per second (QPS). > 0 |
| burst | number | Yes | — | Extra burst capacity above rate. >= 0 |
| key | string | Yes | — | Variable to count requests by |
| key_type | string | No | "var" | Key type: "var" or "var_combination" |
| rejected_code | integer | No | 503 | HTTP status on rejection (200–599) |
| rejected_msg | string | No | — | Custom rejection message body |
| nodelay | boolean | No | false | If true, don't delay burst requests |
| allow_degradation | boolean | No | false | Allow requests when plugin fails |
| policy | string | No | "local" | Storage: "local", "redis", or "redis-cluster" |
Redis Fields (when policy: "redis")
| Field | Type | Required | Default |
|-------|------|----------|---------|
| redis_host | string | Yes | — |
| redis_port | integer | No | 6379 |
| redis_username | string | No | — |
| redis_password | string | No | — |
| redis_database | integer | No | 0 |
| redis_timeout | integer | No | 1000 |
| redis_ssl | boolean | No | false |
Redis Cluster Fields (when policy: "redis-cluster")
| Field | Type | Required | Default |
|-------|------|----------|---------|
| redis_cluster_nodes | array[string] | Yes | — |
| redis_cluster_name | string | Yes | — |
| redis_password | string | No | — |
| redis_timeout | integer | No | 1000 |
| redis_cluster_ssl | boolean | No | false |
Leaky Bucket Algorithm
Incoming requests → [ Bucket (burst capacity) ] → Leak at 'rate' per second → Upstream
↓ overflow (> rate + burst)
Rejected (503/429)
| Request Rate | Behavior |
|-------------|----------|
| ≤ rate | Processed immediately |
| > rate but ≤ rate + burst | Delayed (smoothed) if nodelay: false; immediate if nodelay: true |
| > rate + burst | Rejected with rejected_code |
nodelay Explained
nodelay: false(default): Burst requests are delayed (APISIX sleeps) to smooth traffic. Higher latency for burst requests but protects upstream.nodelay: true: Burst requests are processed immediately without delay. Better latency but upstream sees spikes up torate + burst.
Step-by-Step: Basic Rate Limiting
1. Strict QPS limit (no burst)
a6 route create -f - <<'EOF'
{
"id": "strict-qps",
"uri": "/api/*",
"plugins": {
"limit-req": {
"rate": 10,
"burst": 0,
"key": "remote_addr",
"rejected_code": 429,
"nodelay": true
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
}
}
EOF
10 requests per second per IP. Anything above is immediately rejected.
2. Smooth traffic with burst allowance
a6 route create -f - <<'EOF'
{
"id": "smooth-api",
"uri": "/api/*",
"plugins": {
"limit-req": {
"rate": 5,
"burst": 10,
"key": "remote_addr",
"rejected_code": 429
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"backend:8080": 1
}
}
}
EOF
- 5 req/s sustained rate
- Up to 10 extra burst requests (delayed to smooth traffic)
- Requests above 15/s rejected with 429
Common Patterns
Multi-variable key
{
"plugins": {
"limit-req": {
"rate": 10,
"burst": 5,
"key_type": "var_combination",
"key": "$remote_addr $http_x_api_version",
"rejected_code": 429
}
}
}
Separate buckets per (IP + API version header) combination.
Combine limit-req + limit-count
{
"plugins": {
"limit-req": {
"rate": 10,
"burst": 20,
"key": "remote_addr",
"rejected_code": 429
},
"limit-count": {
"count": 1000,
"time_window": 3600,
"key": "remote_addr",
"rejected_code": 429
}
}
}
limit-req: Smooths per-second traffic (10 QPS with burst)limit-count: Enforces hourly quota (1000/hour)
This prevents both short-term spikes and long-term abuse.
Distributed rate limiting with Redis
{
"plugins": {
"limit-req": {
"rate": 100,
"burst": 50,
"key": "remote_addr",
"policy": "redis",
"redis_host": "redis.example.com",
"redis_port": 6379,
"redis_password": "secret",
"rejected_code": 429
}
}
}
limit-req vs limit-count
| Aspect | limit-req | limit-count | |--------|-----------|-------------| | Algorithm | Leaky bucket | Fixed window | | Unit | Requests per second | Requests per time window | | Burst handling | Delays or allows | Hard reject | | Traffic shaping | Smooth | Bursty at window boundaries | | Response headers | None | X-RateLimit-* | | Group support | No | Yes | | Best for | QPS protection, traffic smoothing | Quota enforcement, API plans |
Troubleshooting
| Symptom | Cause | Fix |
|---------|-------|-----|
| High latency on burst | nodelay: false delays requests | Set nodelay: true for lower latency |
| All burst requests rejected | burst: 0 | Increase burst to allow some excess |
| No rate limit headers | limit-req doesn't add headers | Use limit-count if headers needed |
| Limits not shared across nodes | policy: "local" | Switch to "redis" or "redis-cluster" |
| Key empty, single bucket for all | Variable doesn't exist | Verify key variable name |
Config Sync Example
version: "1"
routes:
- id: smooth-api
uri: /api/*
plugins:
limit-req:
rate: 10
burst: 20
key: remote_addr
rejected_code: 429
upstream_id: api-upstream
upstreams:
- id: api-upstream
type: roundrobin
nodes:
"backend:8080": 1
Related Skills
moonming/a6-shared
tools
VerifiedTrustedCommunity
Core skill for working with the a6 CLI — the Apache APISIX command-line tool. Provides project conventions, command patterns, architecture overview, and development workflow. Load this skill when working on a6 source code, adding new commands, writing tests, or modifying any a6 component.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-multi-tenant
tools
VerifiedTrustedCommunity
Recipe skill for implementing multi-tenant API gateway patterns using the a6 CLI. Covers tenant isolation via Consumer Groups, host/path/header-based routing, per-tenant rate limiting, context forwarding with proxy-rewrite, and declarative config sync workflows for multi-tenant management.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-mtls
tools
VerifiedTrustedCommunity
Recipe skill for configuring mutual TLS (mTLS) using the a6 CLI. Covers SSL certificate management, upstream mTLS to backend services, client certificate verification, and end-to-end mTLS setup from client through APISIX to upstream.
SKILL.mdUpdated Apr 21, 2026
moonming/a6-recipe-health-check
tools
VerifiedTrustedCommunity
Recipe skill for configuring upstream health checks using the a6 CLI. Covers active health checks (HTTP probing), passive health checks (response analysis), combining both, configuring healthy/unhealthy thresholds, and monitoring upstream node status.
SKILL.mdUpdated Apr 21, 2026