how to configure request rate limiting by Kerberos authenticated user?
Nica, George
gheorghe.nica at bofa.com
Wed Aug 5 21:21:42 UTC 2020
Hi,
We are currently using "limit_req_zone $binary_remote_addr" for rate limiting. However, some of our users are connecting from more than one IP address, using clients running on computer grids.
We wanted to do request rate limiting by authenticated user (in addition to the existing one by $binary_remote_addr).
Is there any way we could do request rate limiting based on authenticated user?
We use Kerberos for authentication, using ngx_http_auth_spnego_module (https://github.com/stnoonan/spnego-http-auth-nginx-module).
We tried "limit_req_zone $remote_user zone=user:10m rate=20r/s;" and "limit_req zone=user burst=20;" but the key was apparently empty - all requests, from all users, were getting limited (all bunched under one key). However, interestingly, $remote_user is passed fine to the upstream using "proxy_set_header X-Forwarded-User $remote_user;"... Apparently $remote_user only works for request limiting when using basic authentication.
Thank you for any suggestions/pointers.
Best,
George
----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200805/b04674c5/attachment.htm>
More information about the nginx
mailing list