Hello!
On Sat, Sep 21, 2024 at 07:33:10PM +0200, Eirik Øverby via nginx wrote:
> TL;DR: Did almost what you suggested. Thank you!
> Bit more details below..
[...]
> > Another solution might be to improve configuration to ensure that
> > all limit_req nodes require equal or close amount of memory - this
> > is usually true with $binary_remote_addr being used for limit_req,
> > but certainly not for $request. Trivial fix that comes in mind is
> > to use some hash, such as MD5, and limit the hash instead. This
> > will ensure fixed size of limit_req allocation, and will
> > completely eliminate the problem.
> >
> > With standard modules, this can be done with embedded Perl, such
> > as:
> >
> > perl_set $request_md5 'sub {
> > use Digest::MD5 qw(md5);
> > my $r = shift;
> > return md5($r->variable("request"));
> > }';
> >
> > (Note though that Perl might not be the best solution for DoS
> > protection, as it implies noticeable overhead.)
> >
> > With 3rd party modules, set_misc probably would be most
> > appropriate, such as with "set_md5 $request_md5 $request;".
>
> Just before getting your email, I added this:
> set_by_lua_block $request_md5 { return ngx.md5_bin(request) }
> since we're already using LUA.
> If you think set_md5 is faster, then I'll switch to that.
While set_md5 is probably slightly faster, I don't think there
is a significant difference. As long as you are already using the
Lua module, there should be little to no difference.
--
Maxim Dounin
http://mdounin.ru/
