btw the following configuration with ip and client.ip instead does not
work too:
if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("ip:" + client.ip, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}
On 04/15/2016 10:33 AM, [email protected] wrote:
I am using the following implementation to limit the attack to
wp-login.php and xmlrpc.php, but when I test with apache benchmark (or
there is an attack) from 1000 concurrent requests with the following
configuration only 5 requests are failed from 1000 :
if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("host:" + req.http.host, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}
Is this a normal behavior and why so little number of requests is
blocked? Is there an info that describe how these requests are handled
and solution of this problem? If I set the throttle to 1 requests it
works but this is super stupid and I can't understand why on 10
requests/s limit the throttle does nothing. If I can't solve this
issue I should change the varnish with something other so I will be
really thankfull if you help with this.
_______________________________________________
varnish-misc mailing list
[email protected]
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
