Token-based connection limitation

/en/linux/how-to/ nginx
22/June/2024
authorRentaro
Rentaro

Everyone knows about the limits on the number of connections from one IP (IP-based), but what if we want to limit the number of connections to a certain API per authorization token?
And it doesn’t matter how many different IPs will be used.

Part of the nginx config:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

map $request_uri $client_token {
    "~*(?i)(token=)([a-f0-9]{32})" $2;      # regex return <32str>
    default                        "";      # Fallback to limit_req_zone:global
}

limit_req_zone  $binary_remote_addr   zone=global:32m       rate=100r/s;    # Rule_1
limit_req_zone  $client_token         zone=tokenlimit:32m   rate=5r/s;      # Rule_2
limit_req       zone=global           burst=25;

server {
        location / {
            index index.html;
            root /var/www/html;
        }
        location = /api {
            index index.html;
            root /var/www/api/html;
            limit_req   zone=tokenlimit   burst=5 nodelay;  # api location
            limit_req   zone=global;                        # Fallback
            limit_req_status              429;              # 503

An example of mixed blocking

Simulating multiple connections from host A without a token.

ab -n 999 -c 5 "http://api.tld/api?id=letmein"

Check and get IP A blocked

Regardless of the presence of the token, it exceeded the Rule_1.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

curl -v "http://api.tld/api?token=00000000000000000000000000000000"


< HTTP/1.1 429 Too Many Requests
< Server: nginx
< Date: Sun, 22 Jun 2024 20:03:37 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< 
<html>
<head><title>429 Too Many Requests</title></head>
<body>
<center><h1>429 Too Many Requests</h1></center>
<hr><center>nginx</center>
</body>
</html>

IP B connects without any problems

It did not exceed either the total number of connections from one IP Rule_1 or the number of connections per token Rule_2.

1
2
3
4
5
6
7
8
9
10

curl -v "http://api.tld/api?token=00000000000000000000000000000000"


< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 22 Jun 2024 20:04:18 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 801
< Connection: keep-alive
< X-App-TOKEN: 00000000000000000000000000000000

Example of exceeding the limit on one token

Host A

Simulate multiple connections from host A using a token (111).

1

ab -n 999 -c 5 "http://api.tld/api?token=11111111111111111111111111111111"

And we get a blocking of this token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

curl -v "http://api.tld/api?token=11111111111111111111111111111111"


< HTTP/1.1 429 Too Many Requests
< Server: nginx
< Date: Sun, 22 Jun 2024 20:10:48 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< 
<html>
<head><title>429 Too Many Requests</title></head>
<body>
<center><h1>429 Too Many Requests</h1></center>
<hr><center>nginx</center>
</body>
</html>

Host B

Let’s try using the same token (111) from host B.

We get the same blocking of this token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

curl -v "http://api.tld/api?token=11111111111111111111111111111111"


< HTTP/1.1 429 Too Many Requests
< Server: nginx
< Date: Sun, 22 Jun 2024 20:12:42 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< 
<html>
<head><title>429 Too Many Requests</title></head>
<body>
<center><h1>429 Too Many Requests</h1></center>
<hr><center>nginx</center>
</body>
</html>

Let’s try using another token (000) from host B.

Successful connection

1
2
3
4
5
6
7
8
9
10

curl -v "http://api.tld/api?token=00000000000000000000000000000000"


< HTTP/1.1 200 OK
< Server: nginx
< Date: Sun, 22 Jun 2024 20:09:07 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 805
< Connection: keep-alive
< X-App-TOKEN: 00000000000000000000000000000000

This way, you can combine different limits based not only on IP, but also on request parameters or location.