Hey mates, Apache APISIX has an official plugin limit-conn, and from the document there is one line stated: "Key can be customized by the user, only need to modify a line of code of the plug-in to complete. It is a security consideration that is not open in the plugin."
What is the security concern when customizing the key? For example, I want to use uri as the key to prevent an expensive endpoint from being exhausted. Is there any security concern to use uri as the key? Is it possible to have many requests with different uri to exhaust my memory? Another question is about the delay, from the code, delay is implemented with a sleep https://github.com/apache/apisix/blob/master/apisix/plugins/limit-conn/init.lua#L78, will that cause a connection being occupied during the delay? So if we configure a delay too big, eg. 30 seconds, will it cause many connections to be occupied? Will it cause stability problems?
