Hi, Li,
Both of these are great questions, let me try to answer the first one.
> What is the security concern when customizing the key?
> For example, I want to use uri as the key to prevent an expensive
> endpoint from being exhausted. Is there any security concern to use
> uri as the key? Is it possible to have many requests with different
> uri to exhaust my memory?
First of all, it is clear that there will be no memory leaks and no data
security issues such as data leaks.
The reason why the key is restricted here is to *prevent user* *abuse*.
In fact, the `key` here can be any nginx variable. But being too flexible
will bring side effects:
if a user specifies a non-existent nginx variable, it cannot be detected
during API setting and schema verification, and can only be discovered at
runtime, which is a hidden danger of development.
Thanks,
Ming Wen, Apache APISIX PMC Chair
Twitter: _WenMing
Li Yang <[email protected]> 于2021年9月9日周四 下午5:48写道:
> Hey mates,
>
> Apache APISIX has an official plugin limit-conn, and from the document
> there is one line stated: "Key can be customized by the user, only
> need to modify a line of code of the plug-in to complete. It is a
> security consideration that is not open in the plugin."
>
> What is the security concern when customizing the key?
> For example, I want to use uri as the key to prevent an expensive
> endpoint from being exhausted. Is there any security concern to use
> uri as the key? Is it possible to have many requests with different
> uri to exhaust my memory?
>
> Another question is about the delay, from the code, delay is
> implemented with a sleep
>
> https://github.com/apache/apisix/blob/master/apisix/plugins/limit-conn/init.lua#L78
> ,
> will that cause a connection being occupied during the delay? So if we
> configure a delay too big, eg. 30 seconds, will it cause many
> connections to be occupied? Will it cause stability problems?
>
