I want to limit simultaneous connections per client (IP) with
“limit_conn” but it doesn’t work with Varnish-cache which is listening
to port 80 and NginX: 8080
To do some tests I put limit_conn to 1 and I tried to download two files
from my server
If I write this on my browser adress bar :
-> http://mydomain.tld:8080/file_to_dl.ext
it works of course (I got the error 503) but this :
-> http://mydomain.tld/file_to_dl.ext
doesn’t work: I can download more than 1 file.
I’m using php-fpm and $_SERVER[‘remote_addr’] give the right Client IP
Does anyone have a solution to my problem ?
Thanks in advance.
I’m using php-fpm and $_SERVER[‘remote_addr’] give the right Client IP
Does anyone have a solution to my problem ?
Likely reason is that Varnish either doesn’t pass your second
request (or doesn’t pass your requests at all, if it has the file
in question cached) or it downloads the file faster that you are
able to open second connection. This behaviour is expected for a
frontend, but it breaks limiting you are trying to do on a backend
(nginx).
I doubt you’ll be able solve this. You need frontend to do the
limiting, i.e. either use nginx as a frontend, or use similar
functionality in Varnish (no idea if one is available).
Thanks a lot for your reply.
Unfortunately, according to what I read (on the internet) there is no
way to limit connections per client with varnish so I think I will
simply remove it.
Thanks again.
“limit_conn” but it doesn’t work with Varnish-cache which is listening
-> http://mydomain.tld/file_to_dl.ext
frontend, but it breaks limiting you are trying to do on a backend
(nginx).
I doubt you’ll be able solve this. You need frontend to do the
limiting, i.e. either use nginx as a frontend, or use similar
functionality in Varnish (no idea if one is available).
For this kind of perimeter rate limiting technique, you would
increment a header value in varnish.
Set a custom header in vcl_recv, qualified or limited by the specific
directory or valuable asset, for the external IP to value 1 for the
first request, which is allowed, and add a test to see if that flag
has been set; add vcl_error logic to redirect with message, or send
403, if there are subsequent requests, i.e. if the custom header > 1,
or 100, or whatever you set as a limit threshold.