I'm currently using an API Gateway to listen for web-hooks, and then the web-hook's payload is then offloaded to a lambda. The problem is that the web-hook's payload size can vary. I'm aware that API Gateway's allows for request of 10 MBs; while, lambdas allow only up to 6 MBs. Due to that, I don't want accept any payloads that exceed 6 MB. So I'm wondering if there's any way to filter out request prior to hitting my lambda that exceed 6MBs or some desired amount?
Also I've look into AWS' WAF, but that seems to only apply to request under 8KB if you use a size constraint statement. I don't think this would work in my case as I can easily see the payloads exceeding that amount.
Related
I've created a PUT endpoint on a tomcat server using Spring boot. For safety reasons, I don't want the body size to exceed a certain amount, so I was checking whether there is a limit as there is for POST requests (which I know stays at 2MB)
At the same time I don't find any documentation for the PUT requests. Is there a limit for those too?
I currently have a lambda that is triggered by requests made to an API Gateway route, and I made some research about how to set a payload limit (e.g. 2kb) for this route. My goal is to guarantee that my lambda will never receive a large input to deal with, so it will have a slight execution time and low costs.
I found that the default payload limit for AWS API Gateway is 10 MB, while the default limit to AWS Lambda is 6 MB. Both of them cannot be increased.
However, I did not found any docs or discussion about how to decrease it. Is it possible? Are there any other AWS services that I should use as a middleware between API Gateway and my lambda to limit the received input? Or should I solve it by another approach?
AWS API Gateway does not have the functionality you are describing.
What you are describing I would consider a WAF function, and indeed AWS WAF does have this functionality.
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-size-conditions.html
I'm hesitant to add the following as it is a complete mis-use of the toolset, but...
A dirty and likely an inexact method to restrict payload size using just API Gateway would be check the length of the body of the incoming request with an IF statement in a body mapping template in the Integration Response, and if it is over a certain length, ignore it.
Example assuming Content-Type is application/json:
#set($allParams = $input.params())
{
#if ($input.body.length() < 5000)
"request" : $input.json('$')
#else
"request" : null
#end
}
The 5000 is just an arbitrary number, I haven't done the maths.
Doing this would still lead to your Lambda function being invoked even if the payload was to big (well long), and the Lambda would need to be able to deal with an empty request, but it will never receive a request with more than 5000 characters.
I have a REST API that is expected to receive a large payload as request body. The API calls a blocking method that takes 2 seconds to process each request and then returns 200 OK. I wish to introduce throttling based on available memory such that the API returns 429 Too Many Request when the available memory falls below a threshold.
When the threshold condition is met, I wish to reject subsequent requests right away, even before loading the large request payloads in my application memory. This will also give me some protection against denial of service attacks.
In a Java EE, Tomcat environment, if I use a Filter to check available memory, I understand the complete request is already loaded in memory. Is it then better to add the check in ServletRequestListener.requestInitialized method so that I can reject the request even before the app receives it?
P.S. I use the below formula to calculate available memory based on this SO post:
long presumableFreeMemory =
Runtime.getRuntime().maxMemory()
- Runtime.getRuntime().totalMemory()
+ Runtime.getRuntime().freeMemory();
I have an angularjs app that calls a RESTful service at apiary.io
Does apiary.io throttle responses and delay responses after a certain number have been received?
If so what are the parameters?
Currently, Apiary limits you for 120 reqs/minute/IP.
There are no artificial delays, but occasionally someones floods Apiary with production traffic and even when ratelimiting is fairly efficient, it may temporarily degrade service for other users.
You can (and should) check X-Apiary-RateLimit-Limit and X-Apiary-RateLimit-Remaining header. Once you'll hit the limit, Apiary will sent Retry-After header you should obey.
From their docs:
API Call Limit
API calls are subject to the default limit of 15 requests per second and exceeding this limit will result in all endpoints returning an HTTP status code of 429. Limits are per API key. If the limit is exceeding then the API Key will be blocked for the remainder of the sample period. If an API key continually hits the call limit we reserve the right to permanently block the key and to charge a fee to unblock the key.
To determine the API call amount we monitor the traffic over a sample period. If the traffic results in a particular API key reaching 80% of the limit (i.e., 12 if the limit is 15) over the sample period then the responses will start to contain a throttle node which contains useful information on how close you are to reaching the call limit.
I have a series of apis built using Web API 2.0. How can I increase the maximum message size for some actions and lower it for others? For example, I want a POST to /Person to have a maximum message size of 200 bytes but a bulk endpoint (POSTing to /Results) to be much larger.
You can create an action filter that will prevent a message that is too large from being processed. However, it will not prevent the server from actually receiving the message.
If you really want to prevent large messages from being received you will need to do that as a message handler and you would have to look at a portion of the URI to decide whether to fail or not.