Token-based connection limitation
Everyone knows about the limits on the number of connections from one IP (IP-based), but what if we want to limit the number of connections to a certain API per authorization token?
And it doesn’t matter how many different IPs will be used.
Part of the nginx config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | map $request_uri $client_token {
"~*(?i)(token=)([a-f0-9]{32})" $2; # regex return <32str>
default ""; # Fallback to limit_req_zone:global
}
limit_req_zone $binary_remote_addr zone=global:32m rate=100r/s; # Rule_1
limit_req_zone $client_token zone=tokenlimit:32m rate=5r/s; # Rule_2
limit_req zone=global burst=25;
server {
location / {
index index.html;
root /var/www/html;
}
location = /api {
index index.html;
root /var/www/api/html;
limit_req zone=tokenlimit burst=5 nodelay; # api location
limit_req zone=global; # Fallback
limit_req_status 429; # 503
|
An example of mixed blocking
Simulating multiple connections from host A without a token.
ab -n 999 -c 5 "http://api.tld/api?id=letmein"
Check and get IP A blocked
Regardless of the presence of the token, it exceeded the Rule_1.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | curl -v "http://api.tld/api?token=00000000000000000000000000000000" < HTTP/1.1 429 Too Many Requests < Server: nginx < Date: Sun, 22 Jun 2024 20:03:37 GMT < Content-Type: text/html < Content-Length: 162 < Connection: keep-alive < <html> <head><title>429 Too Many Requests</title></head> <body> <center><h1>429 Too Many Requests</h1></center> <hr><center>nginx</center> </body> </html> |
IP B connects without any problems
It did not exceed either the total number of connections from one IP Rule_1 or the number of connections per token Rule_2.
1 2 3 4 5 6 7 8 9 10 | curl -v "http://api.tld/api?token=00000000000000000000000000000000" < HTTP/1.1 200 OK < Server: nginx < Date: Sun, 22 Jun 2024 20:04:18 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 801 < Connection: keep-alive < X-App-TOKEN: 00000000000000000000000000000000 |
Example of exceeding the limit on one token
Host A
Simulate multiple connections from host A using a token (111).
1 | ab -n 999 -c 5 "http://api.tld/api?token=11111111111111111111111111111111" |
And we get a blocking of this token
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | curl -v "http://api.tld/api?token=11111111111111111111111111111111" < HTTP/1.1 429 Too Many Requests < Server: nginx < Date: Sun, 22 Jun 2024 20:10:48 GMT < Content-Type: text/html < Content-Length: 162 < Connection: keep-alive < <html> <head><title>429 Too Many Requests</title></head> <body> <center><h1>429 Too Many Requests</h1></center> <hr><center>nginx</center> </body> </html> |
Host B
Let’s try using the same token (111) from host B.
We get the same blocking of this token
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | curl -v "http://api.tld/api?token=11111111111111111111111111111111" < HTTP/1.1 429 Too Many Requests < Server: nginx < Date: Sun, 22 Jun 2024 20:12:42 GMT < Content-Type: text/html < Content-Length: 162 < Connection: keep-alive < <html> <head><title>429 Too Many Requests</title></head> <body> <center><h1>429 Too Many Requests</h1></center> <hr><center>nginx</center> </body> </html> |
Let’s try using another token (000) from host B.
Successful connection
1 2 3 4 5 6 7 8 9 10 | curl -v "http://api.tld/api?token=00000000000000000000000000000000" < HTTP/1.1 200 OK < Server: nginx < Date: Sun, 22 Jun 2024 20:09:07 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 805 < Connection: keep-alive < X-App-TOKEN: 00000000000000000000000000000000 |
This way, you can combine different limits based not only on IP, but also on request parameters or location.
Original post on SecOps.it Blog • Token-based connection limitation