limiter: Short-circuit when no rates or connections are configured

Every Teleport service creates a Limiter unconditionally, even when
no `connection_limits` are set. Previously, `NewRateLimiter` injected
a fake default rate of 100M req/s to satisfy a non-empty-rates
invariant in `TokenLimiter`. Every request still paid the full cost:
extract client IP, acquire mutex, FnCache lookup, and token bucket
consume - all for a rate that never rejects.

Remove the fake default rate and add early returns throughout the
limiter stack: `RateLimiter.RegisterRequest` returns immediately when
the effective rate set is empty, `TokenLimiter.ServeHTTP` skips IP
extraction and rate consumption, and `ConnectionsLimiter` skips
tracking when `maxConnections` is zero.

Micro-benchmarks on Apple M4 Pro show the noop path is 5-160x faster
in isolation (NoLimits = noop after fix, HighDefaultRate = old
behavior with fake 100M rate):

    BenchmarkRegisterRequest/NoRates              1.85 ns/op    0 B/op   0 allocs/op
    BenchmarkRegisterRequest/HighDefaultRate       306 ns/op   64 B/op   3 allocs/op
    BenchmarkHTTPMiddleware/NoLimits              82.0 ns/op  208 B/op   4 allocs/op
    BenchmarkHTTPMiddleware/HighDefaultRate        405 ns/op  264 B/op   7 allocs/op
    BenchmarkRegisterRequestAndConnection/NoLimits 18.8 ns/op  32 B/op   1 allocs/op
    BenchmarkRegisterRequestAndConnection/HighDefaultRate 323 ns/op 96 B/op 4 allocs/op
    BenchmarkUnaryInterceptor/NoLimits            18.5 ns/op    0 B/op   0 allocs/op
    BenchmarkUnaryInterceptor/HighDefaultRate      322 ns/op   64 B/op   3 allocs/op
    BenchmarkStreamInterceptor/NoLimits           33.2 ns/op   32 B/op   1 allocs/op
    BenchmarkStreamInterceptor/HighDefaultRate     337 ns/op   96 B/op   4 allocs/op

However, a macro-benchmark through a real TCP HTTP server shows no
measurable difference in end-to-end throughput. The limiter's ~300ns
is noise against the ~9500ns of TCP/HTTP overhead per request:

    BenchmarkHTTPServer/NoLimits                  9510 ns/op 4681 B/op  54 allocs/op
    BenchmarkHTTPServer/HighDefaultRate            9600 ns/op 4752 B/op  57 allocs/op

This change is primarily about code clarity - remove the fake default
rate workaround and make the limiter honestly do nothing when no
limits are configured - rather than a meaningful throughput
improvement.

Author: juliaogris

lib/limiter/connlimiter.go

@@ -41,8 +41,9 @@ type ConnectionsLimiter struct {
 	connections map[string]int64
 }
 
-// NewConnectionsLimiter returns new connection limiter, in case if connection
-// limits are not set, they won't be tracked
+// NewConnectionsLimiter returns a new connection limiter. If
+// maxConnections is zero, the limiter performs no tracking and
+// all requests pass through.
 func NewConnectionsLimiter(maxConnections int64) *ConnectionsLimiter {
 	return &ConnectionsLimiter{
 		maxConnections: maxConnections,
@@ -63,6 +64,11 @@ func (l *ConnectionsLimiter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if l.maxConnections == 0 {
+		l.next.ServeHTTP(w, r)
+		return
+	}
+
 	clientIP, err := ratelimit.ExtractClientIP(r)
 	if err != nil {
 		l.log.WarnContext(context.Background(), "failed to extract source IP", "remote_addr", r.RemoteAddr)
@@ -82,7 +88,9 @@ func (l *ConnectionsLimiter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	l.next.ServeHTTP(w, r)
 }
 
-// AcquireConnection acquires connection and bumps counter
+// AcquireConnection increments the connection count for the
+// given token. If maxConnections is zero, it returns nil
+// immediately without tracking.
 func (l *ConnectionsLimiter) AcquireConnection(token string) error {
 	if l.maxConnections == 0 {
 		return nil
@@ -105,7 +113,8 @@ func (l *ConnectionsLimiter) AcquireConnection(token string) error {
 	return nil
 }
 
-// ReleaseConnection decrements the counter
+// ReleaseConnection decrements the connection count for the
+// given token. If maxConnections is zero, it returns immediately.
 func (l *ConnectionsLimiter) ReleaseConnection(token string) {
 	if l.maxConnections == 0 {
 		return
@@ -126,7 +135,9 @@ func (l *ConnectionsLimiter) ReleaseConnection(token string) {
 	}
 }
 
-// GetNumConnection returns the current number of connections for a token
+// GetNumConnection returns the current connection count for the
+// given token. If maxConnections is zero, it returns 0 because
+// connections are not tracked.
 func (l *ConnectionsLimiter) GetNumConnection(token string) (int64, error) {
 	if l.maxConnections == 0 {
 		return 0, nil

lib/limiter/internal/ratelimit/ratelimit.go

@@ -47,8 +47,8 @@ type TokenLimiterConfig struct {
 }
 
 func (t *TokenLimiterConfig) CheckAndSetDefaults() error {
-	if len(t.Rates.m) == 0 {
-		return trace.BadParameter("missing required rates")
+	if t.Rates == nil {
+		t.Rates = &RateSet{m: make(map[time.Duration]*rate)}
 	}
 
 	if t.Clock == nil {
@@ -71,17 +71,22 @@ func New(config TokenLimiterConfig) (*TokenLimiter, error) {
 		log: slog.With(teleport.ComponentKey, "ratelimiter"),
 	}
 
-	bucketSets, err := utils.NewFnCache(utils.FnCacheConfig{
-		// The default TTL here is not super important because we set the
-		// TTL explicitly for each entry we insert.
-		TTL:   10 * time.Second,
-		Clock: config.Clock,
-	})
-	if err != nil {
-		return nil, trace.Wrap(err)
+	// Skip FnCache creation when no rates are configured. FnCache
+	// spawns a background goroutine for cleanup, and the noop path
+	// in ServeHTTP never touches bucketSets.
+	if config.Rates.Len() > 0 {
+		bucketSets, err := utils.NewFnCache(utils.FnCacheConfig{
+			// The default TTL here is not super important because we
+			// set the TTL explicitly for each entry we insert.
+			TTL:   10 * time.Second,
+			Clock: config.Clock,
+		})
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		tl.bucketSets = bucketSets
 	}
 
-	tl.bucketSets = bucketSets
 	return tl, nil
 }
 
@@ -90,6 +95,11 @@ func (tl *TokenLimiter) Wrap(next http.Handler) {
 }
 
 func (tl *TokenLimiter) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+	if tl.defaultRates.Len() == 0 {
+		tl.next.ServeHTTP(w, req)
+		return
+	}
+
 	clientIP, err := ExtractClientIP(req)
 	if err != nil {
 		ServeHTTPError(w, req, err)
@@ -146,7 +156,7 @@ type rate struct {
 	burst   int64
 }
 
-// NewRateSet crates an empty rate set.
+// NewRateSet creates an empty rate set.
 func NewRateSet() *RateSet {
 	return &RateSet{m: make(map[time.Duration]*rate)}
 }
@@ -167,6 +177,15 @@ func (rs *RateSet) Add(period time.Duration, average int64, burst int64) error {
 	return nil
 }
 
+// Len returns the number of rates in the set. It is safe to call on a
+// nil receiver.
+func (rs *RateSet) Len() int {
+	if rs == nil {
+		return 0
+	}
+	return len(rs.m)
+}
+
 // MaxPeriod returns the maximum period in the rate set.
 func (rs *RateSet) MaxPeriod() time.Duration {
 	var result time.Duration

lib/limiter/limiter.go

@@ -113,7 +113,7 @@ func (l *Limiter) RegisterRequestAndConnection(token string) (func(), error) {
 
 type RateSet = ratelimit.RateSet
 
-// NewRateSet crates an empty `RateSet` instance.
+// NewRateSet creates an empty RateSet.
 func NewRateSet() *RateSet { return ratelimit.NewRateSet() }
 
 // UnaryServerInterceptor returns a gRPC unary interceptor which

lib/limiter/limiter_test.go

@@ -460,6 +460,169 @@ func mustServeAndReceiveStatusCode(t *testing.T, handler http.Handler, wantStatu
 	require.Equal(t, wantStatusCode, response.StatusCode)
 }
 
+func TestNoRates_RegisterRequest(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{})
+	require.NoError(t, err)
+
+	// With no rates configured, RegisterRequest should never reject.
+	for range 100 {
+		require.NoError(t, limiter.RegisterRequest("token1"))
+	}
+}
+
+func TestNoRates_Middleware(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{})
+	require.NoError(t, err)
+
+	middleware := MakeMiddleware(limiter)
+	handler := middleware(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusAccepted)
+	}))
+
+	// With no rates and no max connections, every request should pass through.
+	for range 100 {
+		mustServeAndReceiveStatusCode(t, handler, http.StatusAccepted)
+	}
+}
+
+func TestNoRates_CustomRateStillApplied(t *testing.T) {
+	t.Parallel()
+
+	clock := clockwork.NewFakeClock()
+	limiter, err := NewLimiter(Config{Clock: clock})
+	require.NoError(t, err)
+
+	customRate := ratelimit.NewRateSet()
+	err = customRate.Add(time.Minute, 1, 2)
+	require.NoError(t, err)
+
+	// Custom rate should still be enforced even without default rates.
+	require.NoError(t, limiter.RegisterRequestWithCustomRate("token1", customRate))
+	require.NoError(t, limiter.RegisterRequestWithCustomRate("token1", customRate))
+	require.Error(t, limiter.RegisterRequestWithCustomRate("token1", customRate))
+}
+
+func TestNoRates_IsRateLimited(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewRateLimiter(Config{})
+	require.NoError(t, err)
+
+	// With no rates configured, IsRateLimited should always return false.
+	require.False(t, limiter.IsRateLimited("token1"))
+
+	// RegisterRequest is a no-op, so even after many calls the token
+	// should not appear rate-limited.
+	for range 100 {
+		require.NoError(t, limiter.RegisterRequest("token1", nil))
+	}
+	require.False(t, limiter.IsRateLimited("token1"))
+}
+
+func TestNoRates_UnaryServerInterceptor(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{})
+	require.NoError(t, err)
+
+	ctx := peer.NewContext(t.Context(), &peer.Peer{Addr: mockAddr{}})
+	serverInfo := &grpc.UnaryServerInfo{FullMethod: "/method"}
+	handler := func(context.Context, any) (any, error) { return "ok", nil }
+
+	interceptor := limiter.UnaryServerInterceptor()
+
+	// With no rates, the interceptor should never reject.
+	for range 100 {
+		resp, err := interceptor(ctx, "request", serverInfo, handler)
+		require.NoError(t, err)
+		require.Equal(t, "ok", resp)
+	}
+}
+
+func TestNoRates_StreamServerInterceptor(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{})
+	require.NoError(t, err)
+
+	ctx := peer.NewContext(t.Context(), &peer.Peer{Addr: mockAddr{}})
+	ss := mockServerStream{ctx: ctx}
+	info := &grpc.StreamServerInfo{}
+	handler := func(srv any, stream grpc.ServerStream) error { return nil }
+
+	// With no rates, the interceptor should never reject.
+	for range 100 {
+		require.NoError(t, limiter.StreamServerInterceptor(nil, ss, info, handler))
+	}
+}
+
+func TestNoRates_RegisterRequestAndConnection(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{})
+	require.NoError(t, err)
+
+	// With no rates and no max connections, should never reject.
+	for range 100 {
+		release, err := limiter.RegisterRequestAndConnection("127.0.0.1")
+		require.NoError(t, err)
+		release()
+	}
+}
+
+func TestNoRates_WithMaxConnections(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{MaxConnections: 2})
+	require.NoError(t, err)
+
+	// Rate limiting should pass through (no rates), but connection
+	// limiting should still enforce.
+	for range 100 {
+		require.NoError(t, limiter.RegisterRequest("token1"))
+	}
+
+	// Connection limit should still work.
+	release1, err := limiter.RegisterRequestAndConnection("127.0.0.1")
+	require.NoError(t, err)
+	release2, err := limiter.RegisterRequestAndConnection("127.0.0.1")
+	require.NoError(t, err)
+
+	// Third connection should be rejected.
+	_, err = limiter.RegisterRequestAndConnection("127.0.0.1")
+	require.Error(t, err)
+	require.True(t, trace.IsLimitExceeded(err))
+
+	// Release one, then the third should succeed.
+	release1()
+	release3, err := limiter.RegisterRequestAndConnection("127.0.0.1")
+	require.NoError(t, err)
+	release2()
+	release3()
+}
+
+func TestNoRates_MiddlewareWithMaxConnections(t *testing.T) {
+	t.Parallel()
+
+	limiter, err := NewLimiter(Config{MaxConnections: 1})
+	require.NoError(t, err)
+
+	// Verify rate limiting passes through in HTTP path by sending
+	// many sequential requests (no concurrent connections).
+	middleware := MakeMiddleware(limiter)
+	handler := middleware(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusAccepted)
+	}))
+
+	for range 100 {
+		mustServeAndReceiveStatusCode(t, handler, http.StatusAccepted)
+	}
+}
+
 func TestRateLimiter_IsRateLimited(t *testing.T) {
 	t.Parallel()
 

lib/limiter/ratelimiter.go

@@ -32,12 +32,6 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 )
 
-const (
-	// defaultRate is the maximum number of requests per second that the limiter
-	// will allow when no rate limits are configured
-	defaultRate = 100_000_000
-)
-
 // RateLimiter controls connection rate using the token bucket algorithm.
 // See: https://en.wikipedia.org/wiki/Token_bucket
 type RateLimiter struct {
@@ -66,12 +60,6 @@ func NewRateLimiter(config Config) (*RateLimiter, error) {
 			return nil, trace.Wrap(err)
 		}
 	}
-	if len(config.Rates) == 0 {
-		err := limiter.rates.Add(time.Second, defaultRate, defaultRate)
-		if err != nil {
-			return nil, trace.Wrap(err)
-		}
-	}
 
 	if config.Clock == nil {
 		config.Clock = clockwork.NewRealClock()
@@ -89,8 +77,8 @@ func NewRateLimiter(config Config) (*RateLimiter, error) {
 	}
 
 	limiter.rateLimits, err = utils.NewFnCache(utils.FnCacheConfig{
-		// The default TTL here is not super important because we set the
-		// TTL explicitly for each entry we insert.
+		// The default TTL here is not super important because we set
+		// the TTL explicitly for each entry we insert.
 		TTL:   10 * time.Second,
 		Clock: config.Clock,
 	})
@@ -118,14 +106,21 @@ func (l *RateLimiter) IsRateLimited(token string) bool {
 	return bucket.IsRateLimited()
 }
 
-// RegisterRequest increases number of requests for the provided token
-// Returns error if there are too many requests with the provided token.
+// RegisterRequest increases number of requests for the provided token.
+// If neither the default rates nor a custom rate are configured, the
+// request passes through without any limiting.
 func (l *RateLimiter) RegisterRequest(token string, customRate *ratelimit.RateSet) error {
+	// cmp.Or returns the first non-zero value. A non-nil RateSet
+	// with zero entries is still selected over l.rates, which is
+	// fine because Len() == 0 catches that case below.
+	rate := cmp.Or(customRate, l.rates)
+	if rate.Len() == 0 {
+		return nil
+	}
+
 	l.mu.Lock()
 	defer l.mu.Unlock()
 
-	rate := cmp.Or(customRate, l.rates)
-
 	// We set the TTL as 10 times the rate period. E.g. if rate is 100 requests/second
 	// per client IP, the counters for this IP will expire after 10 seconds of inactivity.
 	ttl := rate.MaxPeriod()*10 + 1
@@ -150,7 +145,7 @@ func (l *RateLimiter) RegisterRequest(token string, customRate *ratelimit.RateSe
 	return nil
 }
 
-// Add rate limiter to the handle
+// WrapHandle wraps the given HTTP handler with the rate limiter.
 func (l *RateLimiter) WrapHandle(h http.Handler) {
 	l.TokenLimiter.Wrap(h)
 }