HttpLimitZoneModule + Varnish (frontend)

Stefan Caunter stef at scaleengine.com
Tue Jan 24 07:55:35 UTC 2012


On Sun, Jan 22, 2012 at 4:43 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Sat, Jan 21, 2012 at 12:45:02PM -0500, moon35 wrote:
>
>> Hello,
>>
>> I'm having some troubles with the Module LimitZone.
>> http://wiki.nginx.org/HttpLimitZoneModule
>>
>> I want to limit simultaneous connections per client (IP) with
>> "limit_conn" but it doesn't work with Varnish-cache which is listening
>> to port 80 and NginX: 8080
>>
>> To do some tests I put limit_conn to 1 and I tried to download two files
>> from my server
>> If I write this on my browser adress bar :
>>  -> http://mydomain.tld:8080/file_to_dl.ext
>> it works of course (I got the error 503) but this :
>
> So nginx works as intended.
>
>>  -> http://mydomain.tld/file_to_dl.ext
>> doesn't work: I can download more than 1 file.
>>
>> I'm using php-fpm and $_SERVER['remote_addr'] give the right Client IP
>>
>> Does anyone have a solution to my problem ?
>
> Likely reason is that Varnish either doesn't pass your second
> request (or doesn't pass your requests at all, if it has the file
> in question cached) or it downloads the file faster that you are
> able to open second connection.  This behaviour is expected for a
> frontend, but it breaks limiting you are trying to do on a backend
> (nginx).
>
> I doubt you'll be able solve this.  You need frontend to do the
> limiting, i.e. either use nginx as a frontend, or use similar
> functionality in Varnish (no idea if one is available).

For this kind of perimeter rate limiting technique, you would
increment a header value in varnish.
Set a custom header in vcl_recv, qualified or limited by the specific
directory or valuable asset, for the external IP to value 1 for the
first request, which is allowed, and add a test to see if that flag
has been set; add vcl_error logic to redirect with message, or send
403, if there are subsequent requests, i.e. if the custom header > 1,
or 100, or whatever you set as a limit threshold.

Stefan Caunter
http://scaleengine.com/contact

>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list