Welcome! Log In Create A New Profile

Advanced

Reverse proxy: allow only one client

Posted by petsneakers 
Reverse proxy: allow only one client
June 21, 2023 06:47PM
This may sound like an odd request :-)

Is there a configuration that would limit the number of clients connecting to an nginx reverse proxy to 1? Note:

- clients are connecting through a load balancer, the reverse proxy will have access to the client ip address via the `X-Forwarded-For` header.
- number of connections should not be limited, just that there should be one originating IP address proxied at any given time.
- the client will establish a long-running websocket connection with the upstream server and as such prevent other clients from connecting to the proxy . . . this is intended.

Thanks!



Edited 1 time(s). Last edit at 06/21/2023 06:52PM by petsneakers.
Re: Reverse proxy: allow only one client
June 22, 2023 01:23AM
Same question with an incorrect answer:

https://stackoverflow.com/questions/75471275/nginx-limit-number-of-ips-connected-to-server



Edited 1 time(s). Last edit at 06/22/2023 01:23AM by petsneakers.
Re: Reverse proxy: allow only one client
June 22, 2023 04:10AM
My use case could be satisfied by something like

- If a client makes an upgrade request
- Check if there is already an established websocket connection upstream
- And if so, return a 503

(I get this would allow multiple clients to make non-websocket requests, that's okay in my case.)

Is this something that njs scripting can tackle? Just learning about that now . . . maybe use the filesystem module to

- set a variable (e.g., num_ws_conns) to 1 when an upgrade connection is established (i.e., first websocket connection upstream)
- on subsequent upgrade requests check num_ws_conns and if greater than 0, 503 the request
- set num_ws_conns to 0 when the websocket request is closed

Just spitballing here . . . would appreciate feedabck if this is a reasonable approach, pointers welcome!
Re: Reverse proxy: allow only one client
June 23, 2023 05:47AM
I got something very close but wasn't sure how to reliably release the association (i.e., hook into a connection closed type of event).

Anyway, I think this is much more easily solved further upstream by getting rid of the load balancer and assigning nginx proxies to clients dynamically in the main proxy.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 330
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready