Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Rate Limiting #2

Open
stefankoegl opened this issue Nov 24, 2019 · 5 comments
Open

Implement Rate Limiting #2

stefankoegl opened this issue Nov 24, 2019 · 5 comments

Comments

@stefankoegl
Copy link
Member

nginx provies rate limiting functionality (https://www.nginx.com/blog/rate-limiting-nginx/).

This could be used to reduce the stress on the limited resources.
@SiqingYu
Copy link

SiqingYu commented Jan 31, 2020
edited
Loading

Let us have discussions? 😊

  • What Nginx version are we using on production?
  • What are our purposes of rate limiting? Protect against DDoS? Password-guessing attempts? Or reduce network transfer footprint?
  • What network resource should we limit? Transfer rate? The number of simultaneous connections?
  • Should we analyze Nginx access logs to sort out requests as per usages and then decide where to put the limit_req directive?
  • How should we present 503 (Service Temporarily Unavailable) to clients? Are the clients (AntennaPod, etc.) already prepared to handle the issue?
  • What strategy of rate limiting should we adopt? e.g. considering bursts.

@stefankoegl
Copy link
Member Author

What Nginx version are we using on production?

$ nginx -v
nginx version: nginx/1.10.3 (Ubuntu)

What are our purposes of rate limiting? Protect against DDoS? Password-guessing attempts? Or reduce network transfer footprint?

I have noticed (from manual inspection, no thorough analysis) that there are some misbehaving clients out there, eg requesting the same resource repeatedly many times (maybe failing to process the response and trying again). Some my main intention was to ensure the best usage of our limited resources for well-behaved clients, and to reduce the impact of misbehaving ones.

What network resource should we limit? Transfer rate? The number of simultaneous connections?

I don't think that we are limited by transfer rate. My concern is load (cpu, memory, disk) caused by "unnecessary" requests. Therefor I'd limit connections.

Should we analyze Nginx access logs to sort out requests as per usages and then decide where to put the limit_req directive?

That'd be great. I don't have much experience in that kind of analysis.

How should we present 503 (Service Temporarily Unavailable) to clients?

I don't know of any best practices here, but 503 sounds ok.

Are the clients (AntennaPod, etc.) already prepared to handle the issue?

I don't know, probably not.

What strategy of rate limiting should we adopt? e.g. considering bursts.

Again, not much experience from my side.

@SiqingYu
Copy link

SiqingYu commented Feb 3, 2020

I want to analyze the logs. Could you please email me the log examples? It'd be great if you also highlight the rogue client requests in the emails. Tools like goaccess are at our disposal. 😄

@stefankoegl
Copy link
Member Author

@SiqingYu you should now have access to the logs directly on the servers. One of the "rogue" requests that I have in mind is repeatedly requesting /api/2/episodes/username.json?since=0 over and over again. A similar pattern can probably be found for other resources as well.

@SiqingYu
Copy link

SiqingYu commented Feb 10, 2020 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefankoegl @SiqingYu