> What is the security concern when customizing the key? A previous concern is that when the key is evaluated to empty, all requests will hit the same limitations. Personally, I think it can be avoided by using remote_addr as default key. We already do the same thing with chash key.
> So if we configure a delay too big, eg. 30 seconds, will it cause many connections to be occupied The configured delay will be acted as a hint to hang up some connections for a given time, so that we don't serve too many connections at the same time. Therefore, if you need to configure a delay, better to configure it to your average request time. Li Yang <[email protected]> 于2021年9月9日周四 下午5:48写道: > > Hey mates, > > Apache APISIX has an official plugin limit-conn, and from the document > there is one line stated: "Key can be customized by the user, only > need to modify a line of code of the plug-in to complete. It is a > security consideration that is not open in the plugin." > > What is the security concern when customizing the key? > For example, I want to use uri as the key to prevent an expensive > endpoint from being exhausted. Is there any security concern to use > uri as the key? Is it possible to have many requests with different > uri to exhaust my memory? > > Another question is about the delay, from the code, delay is > implemented with a sleep > https://github.com/apache/apisix/blob/master/apisix/plugins/limit-conn/init.lua#L78, > will that cause a connection being occupied during the delay? So if we > configure a delay too big, eg. 30 seconds, will it cause many > connections to be occupied? Will it cause stability problems?
