Welcome! Log In Create A New Profile

Re: how to configure request rate limiting by Kerberos authenticated user?

Forum List Message List New Topic Print View

Maxim Dounin

August 05, 2020 08:36PM

Hello!

On Wed, Aug 05, 2020 at 09:21:42PM +0000, Nica, George wrote:

> We are currently using "limit_req_zone $binary_remote_addr" for rate limiting. However, some of our users are connecting from more than one IP address, using clients running on computer grids.
> We wanted to do request rate limiting by authenticated user (in addition to the existing one by $binary_remote_addr).
> Is there any way we could do request rate limiting based on authenticated user?
> We use Kerberos for authentication, using ngx_http_auth_spnego_module (https://github.com/stnoonan/spnego-http-auth-nginx-module).
> We tried "limit_req_zone $remote_user zone=user:10m rate=20r/s;" and "limit_req zone=user burst=20;" but the key was apparently empty - all requests, from all users, were getting limited (all bunched under one key). However, interestingly, $remote_user is passed fine to the upstream using "proxy_set_header X-Forwarded-User $remote_user;"... Apparently $remote_user only works for request limiting when using basic authentication.
> Thank you for any suggestions/pointers.

The $remote_user variable is extracted by nginx from the
Authorization header only when using Basic authentication. The
SPNEGO auth module tries to make it work by providing a fake
"Authorization: Basic ..." header to nginx, but this won't work
for limit_req because rate limiting happens before access checks
(and so before the SPNEGO auth module adds the fake header).

If you want to limit requests based on the user name from the
SPNEGO auth module, the most obvious solution would be to do this
with additional proxying, so the user name will be known.

Alternative solutions include adding its own variable to the
module, so it can be used at any time (much like $remote_user when
using Basic authentication), or doing some clever redirect tricks
to convince nginx to do authentication first, and then to do rate
limiting (in another location, after a redirect).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
how to configure request rate limiting by Kerberos authenticated user?	Nica, George	August 05, 2020 05:22PM
Re: how to configure request rate limiting by Kerberos authenticated user?	Maxim Dounin	August 05, 2020 08:36PM
Re: how to configure request rate limiting by Kerberos authenticated user?	George Nica	August 06, 2020 11:27AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 220

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018