Note: Kilter is functionally complete but not yet well tested. Use in production at your own risk.
A high-performance rate-limiting reverse proxy built on Cloudflare's Pingora framework, inspired by sphinx.
Search engine crawlers are good for your site, but aggressive scrapers are not. Kilter lets you distinguish between them:
- Built-in IP sets for Google, Bing, OpenAI (SearchBot, GPTBot, ChatGPT-User) - fetched at startup
- Exclude known crawlers from rate limits using IP sets or User-Agent patterns
- Throttle unrecognized bots with tight limits while leaving verified crawlers unrestricted
- Short-lived IP blocks: Every block carries a TTL. Blocks expire automatically - no manual cleanup, no collateral damage from IP rotation.
- Crawler-aware IP sets: Built-in feeds for Google, Bing, OpenAI. Inline CIDR ranges also supported.
- Multiple rate limiting algorithms: Sliding Window, Fixed Window, Token Bucket, and GCRA - all implemented as atomic Redis Lua scripts.
- Distributed: Multiple kilter instances share state through Redis, so limits and blocks apply consistently across your fleet.
- Fail-open: When Redis is unavailable, requests pass through. Your site stays up; you just temporarily lose rate limiting.
- Flexible matching: Apply rules by path regex, header patterns, and IP sets. Combine match and exclude conditions.
- X-Forwarded-For resolution: Trusted proxy chain parsing so you rate-limit the real client IP, not your load balancer.
- Observability: Prometheus metrics, OpenTelemetry tracing, structured logging (default, logfmt, or JSON).
cargo build --release- Start Redis:
redis-server - Copy and edit
config.ronfor your environment - Run:
./target/release/kilter
Check health: curl http://localhost:8081/healthz
View metrics: curl http://localhost:8081/metrics
Images are published to ghcr.io/tpyo/kilter.
docker pull ghcr.io/tpyo/kilter:latestdocker compose upStarts kilter with hot-reload, Redis, a test backend, Grafana, Prometheus, and Tempo.