Welcome! Log In Create A New Profile

Advanced

limit_zone: Using other variables than $binary_remote_addr

Posted by Steffen Weber 
Steffen Weber
limit_zone: Using other variables than $binary_remote_addr
January 14, 2009 11:55AM
I want to restrict the number of connections people can have to our
download server. Limiting the concurrent connections by ip address is
not very useful, because if I only allow 1 connection per ip address
then a user cannot download multiple files at once. And if I allow n > 1
connections per IP address, then some download managers will create
multiple connections and other users complain about fairness.

Currently one can use the limit_zone module to restrict the number of
concurrent connections per ip address. An interesting use case would be
to use some token in the URL (for example a GET parameter or a part of
the requested path) instead of the ip address as the limit_zone
$variable mentioned in the wiki:
http://wiki.codemongers.com/NginxHttpLimitZoneModule

For example if I hand out the URL
http://example.org/file.zip?token={SOME_MD5_SUM} to a client I do not
want to allow more than one concurrent connection that uses the given
token. Is this currently possible in nginx? If yes, then which $variable
do I have to use in the limit_zone directive?

Of course, I would have to verify that the token is one that I have
given to the client and that it has not been constructed arbitrarily.
But this can be easily solved with a little PHP and the excellent
"X-Accel-Redirect" header that nginx supports.

Kind regards
Steffen Weber
Denis Filimonov
Re: limit_zone: Using other variables than $binary_remote_addr
January 14, 2009 12:10PM
You can use any variable in limit_zone, e.g.,

limit_zone one $my_var 10m;
....
server {
...
set $my_var <whatever>;
limit_conn one 1;
}

On Wednesday 14 January 2009 05:33:03 Steffen Weber wrote:
> I want to restrict the number of connections people can have to our
> download server. Limiting the concurrent connections by ip address is
> not very useful, because if I only allow 1 connection per ip address
> then a user cannot download multiple files at once. And if I allow n > 1
> connections per IP address, then some download managers will create
> multiple connections and other users complain about fairness.
>
> Currently one can use the limit_zone module to restrict the number of
> concurrent connections per ip address. An interesting use case would be
> to use some token in the URL (for example a GET parameter or a part of
> the requested path) instead of the ip address as the limit_zone
> $variable mentioned in the wiki:
> http://wiki.codemongers.com/NginxHttpLimitZoneModule
>
> For example if I hand out the URL
> http://example.org/file.zip?token={SOME_MD5_SUM} to a client I do not
> want to allow more than one concurrent connection that uses the given
> token. Is this currently possible in nginx? If yes, then which $variable
> do I have to use in the limit_zone directive?
>
> Of course, I would have to verify that the token is one that I have
> given to the client and that it has not been constructed arbitrarily.
> But this can be easily solved with a little PHP and the excellent
> "X-Accel-Redirect" header that nginx supports.
>
> Kind regards
> Steffen Weber
Thanks! And just in case anybody is still unsure what to do in my case
(GET parameter "hash") I was able to use

limit_zone downloads $arg_hash 10m;

Steffen

Denis Filimonov wrote:
> You can use any variable in limit_zone, e.g.,
>
> limit_zone one $my_var 10m;
> ...
> server {
> ...
> set $my_var <whatever>;
> limit_conn one 1;
> }
>
> On Wednesday 14 January 2009 05:33:03 Steffen Weber wrote:
>> I want to restrict the number of connections people can have to our
>> download server. Limiting the concurrent connections by ip address is
>> not very useful, because if I only allow 1 connection per ip address
>> then a user cannot download multiple files at once. And if I allow n > 1
>> connections per IP address, then some download managers will create
>> multiple connections and other users complain about fairness.
>>
>> Currently one can use the limit_zone module to restrict the number of
>> concurrent connections per ip address. An interesting use case would be
>> to use some token in the URL (for example a GET parameter or a part of
>> the requested path) instead of the ip address as the limit_zone
>> $variable mentioned in the wiki:
>> http://wiki.codemongers.com/NginxHttpLimitZoneModule
>>
>> For example if I hand out the URL
>> http://example.org/file.zip?token={SOME_MD5_SUM} to a client I do not
>> want to allow more than one concurrent connection that uses the given
>> token. Is this currently possible in nginx? If yes, then which $variable
>> do I have to use in the limit_zone directive?
>>
>> Of course, I would have to verify that the token is one that I have
>> given to the client and that it has not been constructed arbitrarily.
>> But this can be easily solved with a little PHP and the excellent
>> "X-Accel-Redirect" header that nginx supports.
>>
>> Kind regards
>> Steffen Weber
>
>
>
One further question: Can I somehow prevent that the requests denied by
limit_zone end up in my access log? Some download managers are quiet
aggressive and flood the log.

It would be okay if all requests denied with a 503 response code were
not logged. I think this should be possible by making the "access_log"
directive conditional (using an if clause). But I have not found a
suitable variable that I could use in the conditon.

Steffen
Sorry, only registered users may post in this forum.

Click here to login