How to rate limit GRPC connections based on authorization (bearer) token in Nginx Ingress?

Sergey A. Osokin osa at freebsd.org.ru
Wed May 5 20:09:40 UTC 2021


Hi there,

hope you're doing well.

Please correct me if I wrong, but this looks like a manifest file for
NGINX Ingress Controller from Kubernetes project itself, i.e.
https://kubernetes.github.io/ingress-nginx/, and if so I'd recommend
to switch to NGINX Ingress Controller for Kubernetes, please visit
https://github.com/nginxinc/kubernetes-ingress/ to get more details.

-- 
Sergey Osokin

On Wed, May 05, 2021 at 03:43:46PM -0400, bobbidinho wrote:
> I am trying to rate limit number GRPC connections based on a token included
> in the Authorization header. I tried the following settings in the Nginx
> configmap and Ingress annotation but Nginx rate limiting is not working.
> 
> ```
> ---
> apiVersion: v1
> kind: ConfigMap
> metadata:
>   name: nginx-ingress-controller
>   namespace: default
> data:
>   http-snippet: |
>     limit_req_zone $http_authorization zone=zone-1:20m rate=10r/m;
>     limit_req_zone $http_token zone=zone-2:20m rate=10r/m;
> 
> apiVersion: extensions/v1beta1
> kind: Ingress
> metadata:
>   annotations:
>     kubernetes.io/ingress.class: nginx
>     nginx.ingress.kubernetes.io/backend-protocol: GRPC
>     nginx.ingress.kubernetes.io/configuration-snippet: |
>       limit_req zone=zone-1;
>       limit_req_log_level notice;
>       limit_req_status 429;
> ```
> I try to have Nginx Ingress Controller to rate limit the GRPC/HTTP2 stream
> connection based on the value in the $http_authorization variable. I have
> modified the Nginx log_format to log the $http_authorization value and
> observe that Nginx receives the value. The problem I am facing is that for
> some reason the rate limiting rule doesn't get triggered.
> 
> Is this the correct approach?
> 
> Any help and feedback would be much appreciated!

-- 
Sergey Osokin


More information about the nginx mailing list