HttpLimitZoneModule + Varnish (frontend)
stef at scaleengine.com
Tue Jan 24 07:55:35 UTC 2012
On Sun, Jan 22, 2012 at 4:43 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Sat, Jan 21, 2012 at 12:45:02PM -0500, moon35 wrote:
>> I'm having some troubles with the Module LimitZone.
>> I want to limit simultaneous connections per client (IP) with
>> "limit_conn" but it doesn't work with Varnish-cache which is listening
>> to port 80 and NginX: 8080
>> To do some tests I put limit_conn to 1 and I tried to download two files
>> from my server
>> If I write this on my browser adress bar :
>> -> http://mydomain.tld:8080/file_to_dl.ext
>> it works of course (I got the error 503) but this :
> So nginx works as intended.
>> -> http://mydomain.tld/file_to_dl.ext
>> doesn't work: I can download more than 1 file.
>> I'm using php-fpm and $_SERVER['remote_addr'] give the right Client IP
>> Does anyone have a solution to my problem ?
> Likely reason is that Varnish either doesn't pass your second
> request (or doesn't pass your requests at all, if it has the file
> in question cached) or it downloads the file faster that you are
> able to open second connection. This behaviour is expected for a
> frontend, but it breaks limiting you are trying to do on a backend
> I doubt you'll be able solve this. You need frontend to do the
> limiting, i.e. either use nginx as a frontend, or use similar
> functionality in Varnish (no idea if one is available).
For this kind of perimeter rate limiting technique, you would
increment a header value in varnish.
Set a custom header in vcl_recv, qualified or limited by the specific
directory or valuable asset, for the external IP to value 1 for the
first request, which is allowed, and add a test to see if that flag
has been set; add vcl_error logic to redirect with message, or send
403, if there are subsequent requests, i.e. if the custom header > 1,
or 100, or whatever you set as a limit threshold.
> Maxim Dounin
> nginx mailing list
> nginx at nginx.org
More information about the nginx