Hi,
I’d like to limit connections and/or request based on cookies
Is it possible to do it with something like this:
limit_req_zone $cookie_somename zone=one:10m rate=1r/s;
?
The only thing I’ve found is
http://hg.mperillo.ath.cx/nginx/mod_parsed_vars/file/70df16b39e79/README
but this module has not been updated for 2 years.
Thanks
Alex
Posted at Nginx Forum:
On Thu, Oct 29, 2009 at 08:20:57PM -0400, piavlo wrote:
but this module has not been updated for 2 years.
You may use $cookie_somename since 0.7.22 and 0.6.36.
On Oct 29, piavlo wrote:
but this module has not been updated for 2 years.
Are you trying to limit genuine or malicious users? A malicious user can
always circumvet the limites by creating his own cookies and sending
them.
Are you trying to limit genuine or malicious
users? A malicious user can
always circumvet the limites by creating his own
cookies and sending
them.
Genuine users of specific application - this why I though that session
should be most reliable way. The other option
is to limit by IP but AFAIU this is not good in case several users are
connecting from behind the same proxy.
Could you recommend other options?
Thanks
Posted at Nginx Forum:
Hello!
On Fri, Oct 30, 2009 at 06:24:00PM -0400, piavlo wrote:
Igor S. Wrote:
You may use $cookie_somename since 0.7.22 and
0.6.36.Great, but it’s pity I could not find it in documentation ( and I was reading the Russian one - which is supposed to be most comprehensive).
Well, probably you should try again. If you still unable to, here is
most
close links:
http://wiki.nginx.org/NginxHttpCoreModule#.24cookie_COOKIE
http://sysoev.ru/nginx/docs/http/ngx_http_core_module.html#variables
Maxim D.
You may use $cookie_somename since 0.7.22 and
0.6.36.
Great, but it’s pity I could not find it in documentation ( and I was
reading the Russian one - which is supposed to be most comprehensive).
Thanks
Posted at Nginx Forum:
On Oct 30, piavlo wrote:
should be most reliable way. The other option is to limit by IP but
AFAIU this is not good in case several users are connecting from behind
the same proxy. Could you recommend other options?
You need some sort of a way to ensure that the per user token (in this
case session id in a cookie) was actually issued by you. The token
should have the following properties:
Computationally inexpensive to check if you had issued the token
Computationally prohibitive for others to create a token that will
pass the test above
Failure to produce a legitimate toke by the user shoudl result in a HTTP
403
user token (in this
case session id in a cookie) was actually issued
by you.
The web application which I need to throttle is a php one. I’m not a
php coder and only slightly familiar with php - can I assign a custom
algorithm to php session id generation?
Also how can I verify the session id inside nginx? Should I write a
special verification code in nginx embedded perl?
Failure to produce a legitimate toke by the user
shoudl result in a HTTP
403
Now that I think about cookie based limiting again - it’s not clear to
me how new client connections will be handled, by
the connection/request limiting modules, before the application assigns
them a valid cookie?
Thanks
Posted at Nginx Forum:
Hello!
On Sat, Oct 31, 2009 at 06:27:21PM -0400, piavlo wrote:
Module ngx_http_core_module
e_COOKIE
http://sysoev.ru/nginx/docs/http/ngx_http_core_mod
ule.html#variablesIndeed i overlooked it.
It is not clear to me if i any nginx builtin variable is accessible inside any module directive (which uses variables).
I mean there are several phases in HTTP request processing (like I saw here catap's blog ~ nginx: фазы обработки http запросов) - and it’s not clear to me at which phase the $cookie_name is generated (or any other variable) and whether it’s generated after or before the limit_req_zone/limit_zone directives are processes?
Variable $cookie_name is available as soon as nginx has Cookie
header from client. It happens before request processing phases.
Maxim D.
On Oct 31, piavlo wrote:
anomalizer Wrote:
Now that I think about cookie based limiting again - it’s not clear to
me how new client connections will be handled, by the
connection/request limiting modules, before the application assigns
them a valid cookie?
Excellent point. You can never rate limit the connects. You always have
to accept the connection, inspect the cookie and then decide if you want
to service the request or not. The rate limiting is enforced at an
aplication level and not at a network level.
http://sysoev.ru/nginx/docs/http/ngx_http_core_mod
ule.html#variables
Indeed i overlooked it.
It is not clear to me if i any nginx builtin variable is accessible
inside any module directive (which uses variables).
I mean there are several phases in HTTP request processing (like I saw
here
catap's blog ~ nginx: фазы обработки http запросов)
Thanks
Alex
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs