Using http_limit_conn with a custom variable

Maxim Dounin mdounin at
Wed May 22 13:59:05 UTC 2013


On Tue, May 21, 2013 at 12:31:05PM -0700, Kevin Burke wrote:

> Hi,
> We're trying to use the limit_conn_zone directive to throttle incoming
> HTTP requests.
> We'd like to throttle based on the http basic auth variable
> ($remote_user), however, we must do processing on this value so the
> zone does not overflow with illegitimate values. Ideally we'd want to
> do something like
> set $safe_remote_user "";
> content_by_lua '
> -- Some code to filter $remote_user values, simplified to one line here
> ngx.var.safe_remote_user = $remote_user
> '
> limit_conn_zone $safe_remote_user zone:user 10m;
> However this runs into a problem that we can only set variables inside
> of the location context, but limit_conn_zone must be defined in the
> http context. So, as we understand it we cannot use a variable defined
> by lua in the limit_conn_zone directive. We were curious if anyone has
> run into this problem, and if there are workarounds that could help us
> solve this problem.

For variables processing independant on a particular request 
handling point there is the map{} and perl_set directives in 
nginx (see,  

Not sure if there is something similar in lua module, but map 
should be enough for a particula task.

With map you may do something like this:

    map $remote_user $limit {
        default      invalid;
        ~^[a-z0-9]+$ $remote_user;

This way only valid (according to a regex) user names are mapped 
to their own limits, while everything else maps to predefined 
value "invalid".

Maxim Dounin

More information about the nginx mailing list