Why you shouldn't use Redis as a rate limiter
19 days ago
- #Redis
- #Performance
- #Rate Limiting
- Redis is being used by many companies for rate limiting, but the author finds this approach problematic.
- Initial attempts to implement rate limiting with Redis involve fixed windows and time-based keys, but these have significant flaws.
- Fixed window implementations can lead to keys expiring incorrectly or not at all, causing rate limits to fail.
- Time-based key solutions can suffer from synchronization issues and the 'lost EXPIRE' bug, where keys may never expire.
- Sliding log window approaches, while more accurate, are inefficient and still don't enforce true rate limits.
- Token bucket algorithms are considered the gold standard for rate limiting but are difficult to implement in Redis without Lua scripts.
- Lua scripts in Redis can enforce rate limits correctly but defeat the purpose of using Redis by requiring complex, database-pausing operations.
- Many published Redis rate limiting solutions have major defects, including race conditions and memory exhaustion vulnerabilities.
- The author concludes that Redis is not a suitable tool for rate limiting due to its inherent limitations and the complexity of correct implementations.