Enable Rack::Attack for rate limiting searches


We'd like to be able to rate limit searches (including filtering). Luckily, we have Rack::Attack! So let's put that to work.

There will be two rate limit settings. One will be for bookmarks (unicorn_elastic_bookmarks), the other (unicorn_elastic) will be for everything else.

Testing instructions

The limits have been adjusted to allow for easier testing, so these numbers will of course not apply to real use.

  • Go to one of the URLs affected by the issue

  • Enter the Lockup password if necessary

  • In your browser's dev tools, go to the Network tab, locate the GET request for the page, and right click on that and choose "Copy as cURL". More info on Copy as cURL in a variety of browsers.

  • Paste the cURL command you just copied somewhere you can edit it, e.g. a text editor. It will look something like this:

  • We want to run this command 60 times and hit a different URL each time to avoid caching. We’re going to add a line at the top telling it how many times to run (for i in {1..60}; do) and then modify the URL we’re hitting (here the collection name is replaced with $i – if you’re using a tag’s or user’s works or bookmarks URL, you would replace the tag or username with $i) and then end the loop at the end with ; done

  • Now copy this into your command line and run it

The first output you see should list the response code as HTTP/2 200, indicating you’ve successfully reached the page, and then later ones should list HTTP/2 429, indicating you’ve been rate limited. If you try to go to any of the listed Elasticsearch page in your browser, you should get a “Retry later” message. If you try to go to a different page, e.g. the home page, you should be able to access it.









Affects versions

Fix versions






Internal 0.9