HttpLimitZoneModule + Varnish (frontend)

dubstep · January 21, 2012, 6:45pm

Hello,

I’m having some troubles with the Module LimitZone.
http://wiki.nginx.org/HttpLimitZoneModule

I want to limit simultaneous connections per client (IP) with
“limit_conn” but it doesn’t work with Varnish-cache which is listening
to port 80 and NginX: 8080

To do some tests I put limit_conn to 1 and I tried to download two files
from my server
If I write this on my browser adress bar :
-> http://mydomain.tld:8080/file_to_dl.ext
it works of course (I got the error 503) but this :
-> http://mydomain.tld/file_to_dl.ext
doesn’t work: I can download more than 1 file.

I’m using php-fpm and $_SERVER[‘remote_addr’] give the right Client IP

Does anyone have a solution to my problem ?
Thanks in advance.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,221508,221508#msg-221508

moon35 · January 22, 2012, 10:44pm

Hello!

On Sat, Jan 21, 2012 at 12:45:02PM -0500, moon35 wrote:

from my server
If I write this on my browser adress bar :
-> http://mydomain.tld:8080/file_to_dl.ext
it works of course (I got the error 503) but this :

So nginx works as intended.

-> http://mydomain.tld/file_to_dl.ext
doesn’t work: I can download more than 1 file.

I’m using php-fpm and $_SERVER[‘remote_addr’] give the right Client IP

Does anyone have a solution to my problem ?

Likely reason is that Varnish either doesn’t pass your second
request (or doesn’t pass your requests at all, if it has the file
in question cached) or it downloads the file faster that you are
able to open second connection. This behaviour is expected for a
frontend, but it breaks limiting you are trying to do on a backend
(nginx).

I doubt you’ll be able solve this. You need frontend to do the
limiting, i.e. either use nginx as a frontend, or use similar
functionality in Varnish (no idea if one is available).

Maxim D.

moon35 · January 23, 2012, 3:42pm

Thanks a lot for your reply.
Unfortunately, according to what I read (on the internet) there is no
way to limit connections per client with varnish so I think I will
simply remove it.
Thanks again.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,221508,221541#msg-221541

moon35 · January 24, 2012, 8:56am

On Sun, Jan 22, 2012 at 4:43 PM, Maxim D. [email protected]
wrote:

“limit_conn” but it doesn’t work with Varnish-cache which is listening
-> http://mydomain.tld/file_to_dl.ext
frontend, but it breaks limiting you are trying to do on a backend
(nginx).

I doubt you’ll be able solve this. You need frontend to do the
limiting, i.e. either use nginx as a frontend, or use similar
functionality in Varnish (no idea if one is available).

For this kind of perimeter rate limiting technique, you would
increment a header value in varnish.
Set a custom header in vcl_recv, qualified or limited by the specific
directory or valuable asset, for the external IP to value 1 for the
first request, which is allowed, and add a test to see if that flag
has been set; add vcl_error logic to redirect with message, or send
403, if there are subsequent requests, i.e. if the custom header > 1,
or 100, or whatever you set as a limit threshold.

Stefan C.
http://scaleengine.com/contact

moon35 · March 25, 2012, 6:55pm

Extended description of HttpLimitZoneModule and HttpLimitReqModule usage
with examples and how to exclude a whitelist of IPs can be found here
http://gadelkareem.com/2012/03/25/limit-requests-per-ip-on-nginx-using-httplimitzonemodule-and-httplimitreqmodule-except-whitelist/

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,221508,224347#msg-224347