Forum: NGINX limit_zone: Using other variables than $binary_remote_addr

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
758c0daa669d0069d9645acfaa4e350f?d=identicon&s=25 Steffen Weber (Guest)
on 2009-01-14 11:44
(Received via mailing list)
I want to restrict the number of connections people can have to our
download server. Limiting the concurrent connections by ip address is
not very useful, because if I only allow 1 connection per ip address
then a user cannot download multiple files at once. And if I allow n > 1
connections per IP address, then some download managers will create
multiple connections and other users complain about fairness.

Currently one can use the limit_zone module to restrict the number of
concurrent connections per ip address. An interesting use case would be
to use some token in the URL (for example a GET parameter or a part of
the requested path) instead of the ip address as the limit_zone
$variable mentioned in the wiki:

For example if I hand out the URL{SOME_MD5_SUM} to a client I do not
want to allow more than one concurrent connection that uses the given
token. Is this currently possible in nginx? If yes, then which $variable
do I have to use in the limit_zone directive?

Of course, I would have to verify that the token is one that I have
given to the client and that it has not been constructed arbitrarily.
But this can be easily solved with a little PHP and the excellent
"X-Accel-Redirect" header that nginx supports.

Kind regards
Steffen Weber
7f6259ee1207e985b90d25718cba3d5d?d=identicon&s=25 Denis Filimonov (Guest)
on 2009-01-14 11:57
(Received via mailing list)
You can use any variable in limit_zone, e.g.,

limit_zone   one  $my_var  10m;
server {
   set $my_var <whatever>;
   limit_conn   one  1;
758c0daa669d0069d9645acfaa4e350f?d=identicon&s=25 Steffen Weber (Guest)
on 2009-01-14 16:38
(Received via mailing list)
Thanks! And just in case anybody is still unsure what to do in my case
(GET parameter "hash") I was able to use

limit_zone downloads $arg_hash 10m;

758c0daa669d0069d9645acfaa4e350f?d=identicon&s=25 Steffen Weber (Guest)
on 2009-01-14 17:41
(Received via mailing list)
One further question: Can I somehow prevent that the requests denied by
limit_zone end up in my access log? Some download managers are quiet
aggressive and flood the log.

It would be okay if all requests denied with a 503 response code were
not logged. I think this should be possible by making the "access_log"
directive conditional (using an if clause). But I have not found a
suitable variable that I could use in the conditon.

This topic is locked and can not be replied to.