Skip to content

Rate Limits and Connection Limits

Rate limits protect login, API, chat, WebSocket connection attempts, and streaming paths. Multi-replica deployments depend on Redis for shared rate-limit state.

These fields control long-lived and WebSocket-style connections.

FieldDefaultPurpose
connection_limits.max_per_user20Maximum concurrent connections per user
connection_limits.max_per_room2000Maximum concurrent connections per room
connection_limits.max_total100000Maximum concurrent connections globally
connection_limits.idle_timeout_seconds300Disconnect idle connections
connection_limits.max_duration_seconds86400Maximum connection lifetime
connection_limits.ws_message_rate_limit_per_second50Per-connection WebSocket message rate

When sizing these values, consider CPU, memory, file descriptor limits, reverse proxy limits, and Kubernetes resource limits.

Business-layer chat limits:

messaging_rate_limits:
chat_per_second: 10
window_seconds: 1

Request limits are shared across HTTP and gRPC transports:

request_rate_limits:
auth_max_requests: 5
auth_window_seconds: 60
write_max_requests: 120
write_window_seconds: 60
read_max_requests: 600
read_window_seconds: 60
media_max_requests: 120
media_window_seconds: 60
admin_max_requests: 180
admin_window_seconds: 60
streaming_max_requests: 1200
streaming_window_seconds: 60
websocket_max_requests: 60
websocket_window_seconds: 60

Each group uses:

  • *_max_requests: maximum allowed requests in one window.
  • *_window_seconds: window length in seconds.

Categories:

CategoryPurpose
authLogin, registration, refresh, and other auth endpoints
writeCreate, update, delete operations
readList, detail, and status queries
mediaAdd, remove, parse, and batch media operations
adminAdministrative endpoints
streamingHLS, FLV, media proxy, and similar streaming HTTP paths
websocketWebSocket connection attempts

Auth limits should remain strict on public deployments. Streaming limits are higher because HLS playback can generate many playlist and segment requests.

HTTP and gRPC requests use the same category budgets.

Without Redis, rate limit state is stored in process memory.

For multi-replica deployments, Redis is required for meaningful global limits. Otherwise each replica counts separately. With three replicas and an auth limit of 5 per minute, a client could effectively get 15 attempts per minute if requests are distributed across all replicas.

Deployment shapeRequirement
Local testingRedis optional
Production single-nodeConfigure Redis
Multi-replicaRedis required