DEV Community: Sami Dghim The latest articles on DEV Community by Sami Dghim (@sami_dghim). https://dev.to/sami_dghim https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F185907%2Ff2555f73-b5d6-4572-acdc-4351526ba8ac.png DEV Community: Sami Dghim https://dev.to/sami_dghim en Scaling Sidekiq in Ruby on Rails: Best Practices, War Stories, and WTF Moments Sami Dghim Sun, 24 Aug 2025 22:35:08 +0000 https://dev.to/sami_dghim/scaling-sidekiq-in-ruby-on-rails-best-practices-war-stories-and-wtf-moments-ce1 https://dev.to/sami_dghim/scaling-sidekiq-in-ruby-on-rails-best-practices-war-stories-and-wtf-moments-ce1 <p>Imagine that your Rails application is running smoothly. Users are satisfied, payments are processed, emails are sent out, and reports are produced. Sidekiq feels like magic.</p> <p>Then one Friday evening (because production issues always happen on Fridays), you check the Sidekiq dashboard 💥</p> <p>Jobs are piling up faster than your interns can say, “Did we forget to add sidekiq_options retry: false again?”</p> <p>Welcome to Sidekiq at scale—where background jobs stop being background and start being your entire life.</p> <p>Here are some lessons I've learned from implementing Sidekiq at scale in production, along with metrics and real-world examples.</p> <h2> 1. Keep Jobs Small and Fast </h2> <p>Jobs should be atomic and quick. A <strong>5–10 second job is already too long</strong> in most production systems.</p> <p>Bad example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">ReportJob</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="n">generate_pdf</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="c1"># CPU-heavy</span> <span class="n">upload_to_s3</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="c1"># I/O-heavy</span> <span class="n">send_email</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="c1"># External API</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>If this fails halfway, the entire job retries.</p> <p>✅ Better:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">GeneratePdfJob</span> <span class="o">&lt;</span> <span class="no">ApplicationJob</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">user_id</span><span class="p">)</span> <span class="no">PdfGenerator</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="no">User</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="n">user_id</span><span class="p">))</span> <span class="k">end</span> <span class="k">end</span> <span class="k">class</span> <span class="nc">UploadReportJob</span> <span class="o">&lt;</span> <span class="no">ApplicationJob</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">file_path</span><span class="p">)</span> <span class="no">S3Uploader</span><span class="p">.</span><span class="nf">call</span><span class="p">(</span><span class="n">file_path</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">class</span> <span class="nc">SendReportJob</span> <span class="o">&lt;</span> <span class="no">ApplicationJob</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">report_id</span><span class="p">)</span> <span class="no">ReportMailer</span><span class="p">.</span><span class="nf">with</span><span class="p">(</span><span class="n">user_id</span><span class="p">:,</span> <span class="n">report_id</span><span class="p">:).</span><span class="nf">deliver_now</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Chain jobs with callbacks or Sidekiq batches.</p> <h2> 2. Idempotency is Non-Negotiable </h2> <p>Jobs will run <strong>at least once</strong>, sometimes more. If jobs aren’t idempotent, you’ll double-charge customers or send duplicate emails.</p> <p>Instead of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">order</span><span class="p">.</span><span class="nf">mark_as_paid!</span> <span class="n">send_receipt</span><span class="p">(</span><span class="n">order</span><span class="p">)</span> </code></pre> </div> <p>Do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">order</span><span class="p">.</span><span class="nf">update!</span><span class="p">(</span><span class="ss">status: </span><span class="s2">"paid"</span><span class="p">)</span> <span class="k">unless</span> <span class="n">order</span><span class="p">.</span><span class="nf">paid?</span> <span class="no">ReceiptMailer</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="n">order</span><span class="p">).</span><span class="nf">deliver_later</span> <span class="k">unless</span> <span class="n">order</span><span class="p">.</span><span class="nf">receipt_sent?</span> </code></pre> </div> <h2> 3. Use Queues Strategically </h2> <p>Don’t dump everything into <code>default</code>. Separate workloads:</p> <ul> <li> <code>critical</code> → user-facing (emails, webhooks, payments)</li> <li> <code>default</code> → normal jobs (notifications, syncs)</li> <li> <code>low</code> → heavy, non-urgent (reports, exports, ETL)</li> </ul> <p><strong>sidekiq.yml</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">:queues</span><span class="pi">:</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">critical</span><span class="pi">,</span> <span class="nv">5</span><span class="pi">]</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">default</span><span class="pi">,</span> <span class="nv">3</span><span class="pi">]</span> <span class="pi">-</span> <span class="pi">[</span><span class="nv">low</span><span class="pi">,</span> <span class="nv">1</span><span class="pi">]</span> </code></pre> </div> <h2> 4. Monitor Everything </h2> <p>Visibility is critical at scale:</p> <ul> <li> <strong>Sidekiq Web UI</strong> for queue depth &amp; retries</li> </ul> <p>SQL snippet to monitor retries:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="k">count</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">sidekiq_jobs</span> <span class="k">WHERE</span> <span class="n">queue</span> <span class="o">=</span> <span class="s1">'default'</span> <span class="k">AND</span> <span class="n">retry</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span> </code></pre> </div> <h2> 5. Control Concurrency </h2> <p>More threads ≠ better throughput. High concurrency can overwhelm Postgres or external APIs.</p> <p>✅ Start with concurrency = <strong>2–5x your CPU cores</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">:concurrency</span><span class="pi">:</span> <span class="m">15</span> </code></pre> </div> <h2> 6. Redis is Your Heartbeat </h2> <p>Redis is the single point of truth for Sidekiq.</p> <ul> <li>Use <strong>dedicated Redis</strong> (not shared with cache/session store)</li> <li>Monitor memory &amp; latency</li> </ul> <h2> 7. Smart Retries Only </h2> <p>Default retries (up to 25) can flood your system. Customize them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">MyJob</span> <span class="n">sidekiq_options</span> <span class="ss">retry: </span><span class="mi">3</span> <span class="k">def</span> <span class="nf">perform</span> <span class="no">ExternalService</span><span class="p">.</span><span class="nf">call!</span> <span class="k">rescue</span> <span class="no">ExternalService</span><span class="o">::</span><span class="no">InvalidCredentials</span> <span class="c1"># Don’t retry, just fail fast</span> <span class="k">raise</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Shutdown</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <h2> 8. Deploy with Process Separation </h2> <p>Don’t run one mega Sidekiq instance. Separate by queue type.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bundle <span class="nb">exec </span>sidekiq <span class="nt">-q</span> critical,5 <span class="nt">-q</span> default,2 bundle <span class="nb">exec </span>sidekiq <span class="nt">-q</span> low </code></pre> </div> <h2> 9. Dead Jobs are Zombie Failures </h2> <p>Dead jobs = silent failures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bundle <span class="nb">exec </span>sidekiqctl clean <span class="nt">--all</span> </code></pre> </div> <p>Or query them in Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">Sidekiq</span><span class="o">::</span><span class="no">DeadSet</span><span class="p">.</span><span class="nf">new</span><span class="p">.</span><span class="nf">size</span> </code></pre> </div> <h2> 10. Autoscale or Suffer </h2> <p>In Kubernetes, ECS, or Heroku, autoscale workers on queue latency:</p> <ul> <li>Scale up if latency &gt; 30s</li> <li>Scale down if latency &lt; 5s</li> </ul> <h2> 11. Chain Jobs for External API Pagination </h2> <p>Sometimes, the firehose comes from outside your app. A classic case: syncing a huge dataset from a third-party API that only gives you paginated results.</p> <p>If you naively fetch all pages in one job, you’ll hit rate limits, blow up memory, and make retries a nightmare.</p> <p>✅ Better: chain jobs page by page. Each job handles one page, then enqueues the next, until the API says you’re done. That way:<br> Jobs stay tiny and idempotent.</p> <p>Failures retry gracefully without restarting the whole sync.<br> You respect API rate limits with backoff and jitter.</p> <p>You can fan out each page’s items to dedicated jobs for massive throughput.</p> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">SyncExternalPage</span> <span class="kp">include</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Worker</span> <span class="n">sidekiq_options</span> <span class="ss">queue: :sync</span><span class="p">,</span> <span class="ss">retry: </span><span class="mi">10</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">cursor</span> <span class="o">=</span> <span class="kp">nil</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="no">ExternalClient</span><span class="p">.</span><span class="nf">fetch_page</span><span class="p">(</span><span class="ss">cursor: </span><span class="n">cursor</span><span class="p">)</span> <span class="n">response</span><span class="p">[</span><span class="ss">:items</span><span class="p">].</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">raw</span><span class="o">|</span> <span class="no">UpsertExternalItem</span><span class="p">.</span><span class="nf">perform_async</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="c1"># idempotent per item</span> <span class="k">end</span> <span class="k">if</span> <span class="n">response</span><span class="p">[</span><span class="ss">:next_cursor</span><span class="p">]</span> <span class="c1"># Chain the next page</span> <span class="nb">self</span><span class="p">.</span><span class="nf">class</span><span class="p">.</span><span class="nf">perform_in</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="n">response</span><span class="p">[</span><span class="ss">:next_cursor</span><span class="p">])</span> <span class="k">else</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">"Sync complete ✅"</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">class</span> <span class="nc">UpsertExternalItem</span> <span class="kp">include</span> <span class="no">Sidekiq</span><span class="o">::</span><span class="no">Worker</span> <span class="k">def</span> <span class="nf">perform</span><span class="p">(</span><span class="n">raw</span><span class="p">)</span> <span class="no">ExternalRecord</span><span class="p">.</span><span class="nf">upsert</span><span class="p">(</span> <span class="p">{</span> <span class="ss">external_id: </span><span class="n">raw</span><span class="p">[</span><span class="s2">"id"</span><span class="p">],</span> <span class="ss">name: </span><span class="n">raw</span><span class="p">[</span><span class="s2">"name"</span><span class="p">]</span> <span class="p">},</span> <span class="ss">unique_by: :index_external_records_on_external_id</span> <span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>This pattern lets you chew through millions of external records without drowning your system in retries or hitting API bans.</p> <h2> Conclusion </h2> <p>Sidekiq is incredibly robust, but at scale, you need production-grade practices:</p> <ul> <li>Keep jobs <strong>small, fast, idempotent</strong> </li> <li>Prioritize with <strong>queues</strong> </li> <li>Monitor <strong>latency &amp; retries</strong> </li> <li>Tune <strong>concurrency &amp; Redis</strong> </li> <li>Use <strong>autoscaling</strong> to survive traffic spikes</li> <li>Chain jobs for external API pagination to handle massive datasets gracefully</li> </ul> <p>With these practices, you can confidently handle <strong>millions of jobs per day</strong> without breaking a sweat.</p> <p>✍️ Your turn: what’s your worst Sidekiq horror story? Did you also accidentally email your entire user base at 3am?</p> 🔐 Why Your API Needs Rate Limiting ? Sami Dghim Sun, 10 Aug 2025 12:04:43 +0000 https://dev.to/sami_dghim/why-your-api-needs-rate-limiting--2ckc https://dev.to/sami_dghim/why-your-api-needs-rate-limiting--2ckc <p>If you're running an API — whether it powers a mobile app, third-party integrations, or internal tools — you're always at risk of <strong>misuse</strong>.</p> <p>Sometimes it’s <strong>malicious</strong>: DDoS attacks, brute-force login attempts, or data scrapers.<br><br> Other times, it’s <strong>accidental</strong>: a buggy client stuck in a loop, or QA testing without throttling.</p> <p>Either way, <strong>without rate limiting</strong>, your API becomes a wide-open door for traffic floods that can:</p> <ul> <li>💥 Overload your servers and databases </li> <li>💸 Skyrocket your cloud costs </li> <li>🐌 Degrade performance for real users </li> <li>🛑 Expose security vulnerabilities</li> </ul> <p>The good news? There's a <strong>simple, proactive defense</strong>: <strong>Rate Limiting</strong>.</p> <h2> 🚦 What Is Rate Limiting? </h2> <p>Rate limiting sets a maximum number of requests a client can make to your API within a given time window.</p> <blockquote> <p>Example: <em>"Each IP can make 100 requests per 10 minutes."</em></p> </blockquote> <p>It’s not just about protection — it’s also about <strong>fairness</strong>.<br><br> You don’t want one aggressive user (or bot) consuming all your resources while others get timeouts.</p> <h2> 💡 Why Rate Limiting Matters </h2> <h3> ⚙️ Performance Protection </h3> <p>A sudden burst of requests can queue up, slow down, or even crash your app. Rate limiting prevents this by smoothing out traffic spikes.</p> <h3> 🔒 Security Layer </h3> <p>Brute-force attacks, credential stuffing, and scraping become much harder when request volume is capped.</p> <h3> 💰 Cost Control </h3> <p>Cloud infrastructure scales with traffic — but so do your bills. Preventing junk traffic keeps costs predictable.</p> <h3> ✅ Quality of Service </h3> <p>Legitimate users get consistent, fast responses instead of frustrating timeouts or errors.</p> <h2> ❌ Common Mistakes Without Rate Limiting </h2> <ul> <li>A single misconfigured client breaks the experience for everyone because its loop forgot <code>sleep()</code>. </li> <li>Botnets consume all your API capacity during an attack. </li> <li>Your own QA team accidentally triggers a self-inflicted DoS by hammering endpoints without throttling.</li> </ul> <blockquote> <p>🔥 One uncontrolled script can bring your entire service to its knees.</p> </blockquote> <h2> ✅ Solution 1: <code>Rack::Attack</code> + Redis (Great for Rails APIs) </h2> <p><a href="https://github.com/rack/rack-attack" rel="noopener noreferrer">Rack::Attack</a> is a battle-tested gem for rate limiting in Ruby on Rails apps. Paired with <strong>Redis</strong>, it scales across multiple servers and handles distributed traffic.</p> <h3> How It Works: </h3> <ul> <li>Define limits per IP, user token, or endpoint</li> <li>Automatically return <code>429 Too Many Requests</code> when exceeded</li> <li>Allow safe-lists for health checks or internal services</li> <li>Log and monitor throttled requests for visibility</li> </ul> <h3> Setup </h3> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Gemfile</span> <span class="n">gem</span> <span class="s2">"rack-attack"</span> <span class="n">gem</span> <span class="s2">"redis"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/application.rb</span> <span class="n">config</span><span class="p">.</span><span class="nf">middleware</span><span class="p">.</span><span class="nf">use</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Attack</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># config/initializers/rack_attack.rb</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Attack</span><span class="p">.</span><span class="nf">cache</span><span class="p">.</span><span class="nf">store</span> <span class="o">=</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">Cache</span><span class="o">::</span><span class="no">RedisCacheStore</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="ss">url: </span><span class="no">ENV</span><span class="p">[</span><span class="s2">"REDIS_URL"</span><span class="p">])</span> <span class="no">Rack</span><span class="o">::</span><span class="no">Attack</span><span class="p">.</span><span class="nf">throttle</span><span class="p">(</span><span class="s2">"requests per IP"</span><span class="p">,</span> <span class="ss">limit: </span><span class="mi">100</span><span class="p">,</span> <span class="ss">period: </span><span class="mi">10</span><span class="p">.</span><span class="nf">minutes</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">req</span><span class="o">|</span> <span class="n">req</span><span class="p">.</span><span class="nf">ip</span> <span class="k">end</span> </code></pre> </div> <p>When the limit is hit, clients receive:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rate_limited"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Too many requests. Please retry later."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>With HTTP status <code>429 Too Many Requests</code>.</p> <p>💡 Pro tip: Use custom throttling keys for authenticated users (<code>req.session['user_id']</code>) or API keys.</p> <h2> ✅ Solution 2: Rails 7.2 Built-In Rate Limiting </h2> <p>Starting in <strong>Rails 7.2</strong>, you can add rate limiting <strong>directly in controllers</strong> — no extra gems needed!</p> <p>This feature is built into <code>ActionController</code> and uses your existing cache store (Redis, Memcached, or memory).</p> <h3> Example 1: Limit Login Attempts </h3> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">SessionsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">5</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">minute</span><span class="p">,</span> <span class="ss">only: :create</span> <span class="k">end</span> </code></pre> </div> <p>Prevents brute-force attacks by limiting login attempts to 5 per minute per session/IP.</p> <h3> Example 2: Limit API Calls Per User </h3> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="k">class</span> <span class="nc">Api::WidgetsController</span> <span class="o">&lt;</span> <span class="no">ApplicationController</span> <span class="n">rate_limit</span> <span class="ss">to: </span><span class="mi">500</span><span class="p">,</span> <span class="ss">within: </span><span class="mi">1</span><span class="p">.</span><span class="nf">day</span><span class="p">,</span> <span class="ss">by: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">current_user</span><span class="o">&amp;</span><span class="p">.</span><span class="nf">id</span> <span class="o">||</span> <span class="n">request</span><span class="p">.</span><span class="nf">remote_ip</span> <span class="p">},</span> <span class="ss">with: </span><span class="o">-&gt;</span> <span class="p">{</span> <span class="n">render</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"Rate limit exceeded"</span> <span class="p">},</span> <span class="ss">status: :too_many_requests</span> <span class="p">},</span> <span class="ss">only: :index</span> <span class="k">end</span> </code></pre> </div> <h3> Key Options: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Option</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td><code>to:</code></td> <td>Max number of allowed requests</td> </tr> <tr> <td><code>within:</code></td> <td>Time window (e.g., <code>1.hour</code>)</td> </tr> <tr> <td><code>by:</code></td> <td>Discriminator (user ID, IP, API key)</td> </tr> <tr> <td><code>with:</code></td> <td>Custom response block when throttled</td> </tr> <tr> <td> <code>only:</code> / <code>except:</code> </td> <td>Apply to specific actions</td> </tr> </tbody> </table></div> <blockquote> <p>✅ Perfect for simple, declarative, per-action limits without middleware complexity.</p> </blockquote> <h2> 🛡 Final Thoughts: Rate Limiting = API Armor </h2> <p>Rate limiting isn’t just a performance tweak — it’s <strong>essential infrastructure hygiene</strong>.</p> <p>It:</p> <ul> <li>Prevents single points of failure</li> <li>Defends against common attacks</li> <li>Keeps your cloud costs under control</li> <li>Ensures fair access for all users</li> </ul> <p>Whether you're using <code>Rack::Attack</code> or Rails 7.2’s native tools, <strong>adding rate limiting is one of the highest-impact, lowest-effort improvements</strong> you can make to your API.</p> <p>🛠 Start small. Protect critical endpoints. Scale as needed.</p> <p>Your future self will thank you.</p> <p>💬 <strong>Have questions?</strong><br><br> Are you using rate limiting in production? What strategy works best for your app?</p> <p>Let me know in the comments 👇</p> <h1> rubyonrails #api #security #devops #webdevelopment #backend #rate-limiting #rails7 #redis #tutorial </h1>