Using the Request Size Limit middleware with Tyk Classic APIs

The request size limit middleware enables you to apply limits to the size of requests made to your HTTP APIs. You might use this feature to protect your Tyk Gateway or upstream services from excessive memory usage or brute force attacks.

This middleware is configured in the Tyk Classic API Definition. You can do this via the Tyk Dashboard API or in the API Designer.

If you’re using the newer Tyk OAS APIs, then check out the Tyk OAS page.

If you’re using Tyk Operator then check out the configuring the middleware in Tyk Operator section below.

Configuring the middleware in the Tyk Classic API Definition

There are three different levels of granularity that can be used when configuring a request size limit.

• system-wide: affecting all APIs deployed on the gateway
• API-level: affecting all endpoints for an API
• endpoint-level: affecting a single API endpoint

Applying a size limit for a specific API

You can configure a request size limit (in bytes) to an API by configuring the global_size_limit within the version element of the API Definition, for example:

"global_size_limit": 2500 

A value of zero (default) means that no maximum is set and the API-level size limit check will not be performed.

This limit is applied for all endpoints within an API. It is evaluated after the Gateway-wide size limit and before any endpoint-specific size limit. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

Applying a size limit for a specific endpoint

The most granular control over request sizes is provided by the endpoint-level configuration. This limit will be applied after any Gateway-level or API-level size limits and is given in bytes. If this test fails, the Tyk Gateway will report HTTP 400 Request is too large.

To enable the middleware you must add a new size_limits object to the extended_paths section of your API definition.

The size_limits object has the following configuration:

• path: the endpoint path
• method: the endpoint HTTP method
• size_limit: the maximum size permitted for a request to the endpoint (in bytes)

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
    "extended_paths": {
        "size_limits": [
            {
                "disabled": false,
                "path": "/anything",
                "method": "POST",
                "size_limit": 100
            }
        ]
    }
}

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /anything endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 100 bytes, will reject the request, returning HTTP 400 Request is too large.

Configuring the middleware in the API Designer

You can use the API Designer in the Tyk Dashboard to configure a request size limit for your Tyk Classic API by following these steps.

Step 1: Add an endpoint for the path and select the plugin

From the Endpoint Designer add an endpoint that matches the path for which you want to limit the size of requests. Select the Request size limit plugin.

Step 2: Configure the middleware

Set the request size limit, in bytes.

Step 3: Save the API

Use the save or create buttons to save the changes and activate the middleware.

Configuring the middleware in Tyk Operator

The process for configuring a request size limit is similar to that defined in section configuring the middleware in the Tyk Classic API Definition. Tyk Operator allows you to configure a request size limit for all endpoints of an API or for a specific API endpoint.

Applying a size limit for a specific API

The process for configuring the request size_limits middleware for a specific API is similar to that explained in applying a size limit for a specific API.

You can configure a request size limit (in bytes) for all endpoints within an API by configuring the global_size_limit within the version element of the API Definition, for example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin-global-limit
spec:
  name: httpbin-global-limit
  use_keyless: true
  protocol: http
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /httpbin-global-limit
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        global_size_limit: 5
        name: Default

The example API Definition above configures an API to listen on path /httpbin-global-limit and forwards requests upstream to http://httpbin.org.

In this example the request size limit is set to 5 bytes. If the limit is exceeded then the Tyk Gateway will report HTTP 400 Request is too large.

Applying a size limit for a specific endpoint

The process for configuring the request size_limits middleware for a specific endpoint is similar to that explained in applying a size limit for a specific endpoint.

To configure the request size_limits middleware you must add a new size_limits object to the extended_paths section of your API definition, for example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: httpbin-limit
spec:
  name: httpbin-limit
  use_keyless: true
  protocol: http
  active: true
  proxy:
    target_url: http://httpbin.org
    listen_path: /httpbin-limit
    strip_listen_path: true
  version_data:
    default_version: Default
    not_versioned: true
    versions:
      Default:
        name: Default
        use_extended_paths: true
        extended_paths:
          size_limits:
            - method: POST
              path: /post
              size_limit: 5

The example API Definition above configures an API to listen on path /httpbin-limit and forwards requests upstream to http://httpbin.org.

In this example the endpoint-level Request Size Limit middleware has been configured for HTTP POST requests to the /post endpoint. For any call made to this endpoint, Tyk will check the size of the payload (Request body) and, if it is larger than 5 bytes, will reject the request, returning HTTP 400 Request is too large.