Modify your frontend from the example like this and let us know what
happens:
frontend proxy
bind *:80
stick-table type ip size 100k expire 15s store http_req_rate(10s)
http-request track-sc0 src table Abuse
use_backend api_delay if { sc_http_req_rate(0) gt 30 }
use_backend api
backend api
server api01 api01:80
server api02 api02:80
server api03 api03:80
backend api_delay
tcp-request inspect-delay 500ms
tcp-request content accept if WAIT_END
server api01 api01:80
server api02 api02:80
server api03 api03:80
Note that as per the sliding window rate limiting from the examples you
said you read this limits each source IP to 30 requests for the last time
period of 30 seconds. That gives you 180 requests per 60 seconds.
On Tue, Jun 9, 2020 at 4:47 PM Stefano Tranquillini <stef...@chino.io>
wrote:
> If both users have the same IP then there's a problem, however, if the IPs
> are different nginx auto-limits the request per minute to the value given.
> i would like to achieve the same functionality in HA, or have a way to cap
> the number of calls per IP (or user or whatever) to a certain number.
> I don't really care if right now it is by IP or User via auth or JWT.
> The problem that I've is with the primitives to define this maximum number
> of calls per minute/seconds etc.
>
>
> On Tue, Jun 9, 2020 at 6:08 AM Igor Cicimov <
> ig...@encompasscorporation.com> wrote:
>
>>
>>
>> On Mon, Jun 8, 2020 at 5:18 PM Stefano Tranquillini <stef...@chino.io>
>> wrote:
>>
>>>
>>>
>>> On Sun, Jun 7, 2020 at 11:11 PM Илья Шипицин <chipits...@gmail.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> вс, 7 июн. 2020 г. в 19:59, Stefano Tranquillini <stef...@chino.io>:
>>>>
>>>>> Hello all,
>>>>>
>>>>> I'm moving to HA using it to replace NGINX and I've a question
>>>>> regarding how to do a Rate Limiting in HA that enables queuing the
>>>>> requests
>>>>> instead of closing them.
>>>>>
>>>>> I was able to limit per IP following those examples:
>>>>> https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/
>>>>> . However, when the limit is reached, the users see the error and
>>>>> connection is closed.
>>>>>
>>>>> Since I come from NGINX, it has this handy feature
>>>>> https://www.nginx.com/blog/rate-limiting-nginx/ where connections
>>>>> that exceed the threshold are queued. Thus the user will still be able to
>>>>> do the calls but be delayed without him getting errors and keep the
>>>>> overall
>>>>> number of requests within threshold.
>>>>>
>>>>> Is there anything similar in HA? It should limit/queueing the user by
>>>>> IP.
>>>>>
>>>>> To explain with an example, we have two users Alice, with ip A.A.A.A
>>>>> and Bob with ip B.B.B.B The threshold is 30r/minute.
>>>>>
>>>>> So in 1 minute:
>>>>>
>>>>> - Alice does 20 requests. -> that's fine
>>>>> - Bob does 60 requests. -> the system caps the requset to 30 and
>>>>> then process the other 30 later on (maybe also adding timeout/delay)
>>>>> - Alice does 50 request -> the first 40 are fine, the next 10 are
>>>>> queued.
>>>>> - Bob does 20 requests -> they are queue after the one above.
>>>>>
>>>>> I saw that it can be done in general, by limiting the connections per
>>>>> host. But this will mean that it's cross IP and thus, if 500 is the limit
>>>>> - Alice does 1 call
>>>>> - Bob does 1000 calls
>>>>> - Alice does another 1 call
>>>>> - Alice will be queued, that's not what i would like to have.
>>>>>
>>>>> is this possible? Is there anything similar that can be done?
>>>>>
>>>>
>>>> it is not cross IP. I wish nginx docs would be better on that.
>>>>
>>> What do you mean?
>>> in nginx i do
>>> limit_req_zone $binary_remote_addr zone=prod:10m rate=40r/m;
>>> and works
>>>
>>
>> What works? I don't see how that helps if both users are behind the same
>> IP address as only the IP address is taken at the rate limit logic?
>>
>>>
>>> first, in nginx terms it is limited by zone key. you can define key
>>>> using for example $binary_remote_addr$http_user_agent$ssl_client_ciphers
>>>> that means each unique combination of those parameters will be limited
>>>> by its own counter (or you can use nginx maps to construct such a zone key)
>>>>
>>>> in haproxy you can see and example of
>>>>
>>>> # Track client by base32+src (Host header + URL path + src IP)
>>>> http-request track-sc0 base32+src
>>>>
>>>> which also means key definition may be as flexible as you can imagine.
>>>>
>>>
>>> the point is, how can i cap the number of requests for a single user to
>>> 40r/minute for example? or any number.
>>>
>>
>> And the point that others are trying to make is you need to have
>> something in your request that you can use to distinguish one user from
>> another. Like Authentication header, JWT token or userID maybe in your
>> query string etc. Then you can use that "unique" value to build your hash
>> similar to what has been shown above to create your rate limit table key.
>>
>
>
> --
> *Stefano Tranquillini, *CTO/Co-Founder @ chino.io
> *Need to talk? book a slot <http://bit.ly/2LdXbZQ>*
> *Please consider the environment before printing this email - **keep it
> short <http://five.sentenc.es/> *
>
>
>
--
Igor Cicimov | Senior DevOps Engineer
t +61 (1) 300-362-667
e ig...@encompasscorporation.com
w www.encompasscorporation.com
a Level 10, 117 Clarence Street, Sydney, NSW, Australia 2000
