Forum: NGINX Whitelisting Req/Conn Limiting

2974d09ac2541e892966b762aad84943?d=identicon&s=25 SupaIrish (Guest)
on 2014-05-31 01:18
(Received via mailing list)
Hello!

I'm want to limit req/connections but have certain requests skip or
whitelisted from the throttling.  I've found some prior threads that got
me
this, which I think is working.  Here's just the relevant config.  Is
this
the best/correct way to do this?  And if so I don't really understand
the
1 ""  part of the map block.  Can someone explain that?  The map docs
(http://nginx.org/en/docs/http/ngx_http_map_module.html#map)  aren't
helping
me figure it out.  Thanks!

http {
    map $whitelist $limit {
      default $binary_remote_addr;
      1 "";
    }

    limit_conn_zone $limit zone=conn_limit_per_ip:10m;
    limit_req_zone $limit zone=req_limit_per_ip:10m rate=5r/s;

    server {
      set $whitelist "";
      if ( $hostname = some_url.com ) {
        set $whitelist 1;
      }

      limit_conn conn_limit_per_ip 10;
      limit_req zone=req_limit_per_ip burst=30 nodelay;
    }
  }

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250510,250510#msg-250510
2974d09ac2541e892966b762aad84943?d=identicon&s=25 SupaIrish (Guest)
on 2014-05-31 01:19
(Received via mailing list)
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-05-31 04:18
(Received via mailing list)
1°) To me, the map docs are fairly clear...
In short, the map directive works as follow:

With:
map $foo $bar {
"test1" "value1"
...
}

Whenever the value in $foo matches a value of the first column, $bar
will
be set to the value of the second column, ie:
if $foo = "test1", then $bar <- "value1"

If $foo matches nothing, then either:
- there is a special value *default* in the first column, thus $bar will
beset to the corresponding value
- there is no *default* value, $bar will be set to an empty string

2°) Now for the best way to write that, here are my thoughts:

Considering that:
- all servers share 'limit_conn_zone' and 'limit_req_zone usage', except
for some hostname
- the 'if' directive must be avoided as much as possible
- 'limit_conn_zone' and 'limit_req_zone' work in 'http' context

I would try the following:
- put the 'limit_*_zone' directives at 'http' level, next to the 'map'
one
- use 'server_name' in 'server' blocks to serve different hostnames
- put 'set whitelist 1' in all whitelisted 'server' blocks
- if necessary (unsure), put 'set whitelist ""' at 'http' level
---
*B. R.*
2974d09ac2541e892966b762aad84943?d=identicon&s=25 SupaIrish (Guest)
on 2014-06-01 11:03
(Received via mailing list)
Thanks for the reply

1) Your explanation clarified my misunderstanding, much appreciated.

2) Your suggestion would make a lot of sense.  But after reading your
response, I realized I wrote the check wrong in my example.  I'm trying
to
whitelist an inbound request from a specific server, not one that Nginx
is
serving.  Instead of $hostname I should be using $remote_addr and the IP
of
the remote server I'm attempting to whitelist from the throttling.  i.e.

if ( $remote_addr = XX.XXX.XXX.XXX ) {
  set $whitelist 1;
}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,250510,250530#msg-250530
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-06-01 14:11
(Received via mailing list)
I am glad my explanations were clear enough, though I doubt I said more
than the docs which, again, seem pretty clear to me.
You could make suggestions on how to improve the docs by quoting what
you
think would gain to be rephrased better.

Based on my previous advice, you already know that using 'if' is
avoidable
and recommended.
What do you think you could change to match your new needs?
At which level does the check should be done?
How to use variables to make only targeted environments affected by you
contional statement?

You could search archives of the ML on the forum you are using since map
configuration are a recurring question, and your use case has been
addressed multiple times in the past.

To increase your chances to gain help, please provide:
- details on the process you followed
- relevant bits of the configuration you achieved which bother you
- intel about searches/thinking you made
- precise questions/wondering you have
---
*B. R.*
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.