On Mon, Jun 8, 2020 at 5:18 PM Stefano Tranquillini <stef...@chino.io> wrote:
> > > On Sun, Jun 7, 2020 at 11:11 PM Илья Шипицин <chipits...@gmail.com> wrote: > >> >> >> вс, 7 июн. 2020 г. в 19:59, Stefano Tranquillini <stef...@chino.io>: >> >>> Hello all, >>> >>> I'm moving to HA using it to replace NGINX and I've a question regarding >>> how to do a Rate Limiting in HA that enables queuing the requests instead >>> of closing them. >>> >>> I was able to limit per IP following those examples: >>> https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/ . >>> However, when the limit is reached, the users see the error and connection >>> is closed. >>> >>> Since I come from NGINX, it has this handy feature >>> https://www.nginx.com/blog/rate-limiting-nginx/ where connections that >>> exceed the threshold are queued. Thus the user will still be able to do the >>> calls but be delayed without him getting errors and keep the overall number >>> of requests within threshold. >>> >>> Is there anything similar in HA? It should limit/queueing the user by >>> IP. >>> >>> To explain with an example, we have two users Alice, with ip A.A.A.A >>> and Bob with ip B.B.B.B The threshold is 30r/minute. >>> >>> So in 1 minute: >>> >>> - Alice does 20 requests. -> that's fine >>> - Bob does 60 requests. -> the system caps the requset to 30 and >>> then process the other 30 later on (maybe also adding timeout/delay) >>> - Alice does 50 request -> the first 40 are fine, the next 10 are >>> queued. >>> - Bob does 20 requests -> they are queue after the one above. >>> >>> I saw that it can be done in general, by limiting the connections per >>> host. But this will mean that it's cross IP and thus, if 500 is the limit >>> - Alice does 1 call >>> - Bob does 1000 calls >>> - Alice does another 1 call >>> - Alice will be queued, that's not what i would like to have. >>> >>> is this possible? Is there anything similar that can be done? >>> >> >> it is not cross IP. I wish nginx docs would be better on that. >> > What do you mean? > in nginx i do > limit_req_zone $binary_remote_addr zone=prod:10m rate=40r/m; > and works > What works? I don't see how that helps if both users are behind the same IP address as only the IP address is taken at the rate limit logic? > > first, in nginx terms it is limited by zone key. you can define key using >> for example $binary_remote_addr$http_user_agent$ssl_client_ciphers >> that means each unique combination of those parameters will be limited by >> its own counter (or you can use nginx maps to construct such a zone key) >> >> in haproxy you can see and example of >> >> # Track client by base32+src (Host header + URL path + src IP) >> http-request track-sc0 base32+src >> >> which also means key definition may be as flexible as you can imagine. >> > > the point is, how can i cap the number of requests for a single user to > 40r/minute for example? or any number. > And the point that others are trying to make is you need to have something in your request that you can use to distinguish one user from another. Like Authentication header, JWT token or userID maybe in your query string etc. Then you can use that "unique" value to build your hash similar to what has been shown above to create your rate limit table key.
