Rate Limit not applied when mapping $upstream_http_ headers

[Maxim Dounin]

Hello!

On Fri, Oct 01, 2021 at 10:47:01AM +0200, Markus Grobelin wrote:

> Hy everybody, 
> 
> I have a reverse-proxy setup with an upstream application that 
> sets a header (x_tenant_id). 
> 
> Based on that headers value, I want to apply a rate limit to 
> clients. 
> 
> I verified the rate limit applies* properly, when a usual 
> request header (e.g. $http_x_tenant_id) is mapped. However the 
> config below does not map $upstream_http_x_tenant_id** at all. 
> 
> Any advice how to achieve rate limiting using such 
> $upstream_http_ headers? 

Request rate limiting, as configured with the limit_req rate 
directive (not to be confused with response transmission rate 
limiting, limit_rate), happens before processing a request, that 
is, before the request is sent to the upstream server and a 
response is received.  As such, you cannot rely on variables only 
available when a response is received from the upstream server, 
such as $upstream_http_* variables.

If you want to reject requests based on the information only 
available on the upstream server, the best solution might be to 
actually reject requests on the upstream server.  If you have to 
do it on nginx for some reason, it should be possible to configure 
things using X-Accel-Redirect redirections, though this going to 
be a complex configuration, and it will do two upstream request 
instead of just one.  A better approach might be to re-think your 
limiting configuration to use something directly available from 
the request.

-- 
Maxim Dounin
http://mdounin.ru/