Limit reqs per user / bot

Server NGINX
1

I want to limit requests to 1 per second for each user, counting a bot
that
makes requests from multiple ips as a single user. Does this make sense:

map $http_user_agent $single_user {
default $binary_remote_addr;
~PaperLiBot 1;
}

limit_req_zone $single_user zone=one:10m rate=1r/s;

limit_req zone=one burst=2;

Thanks

Dave

Posted at Nginx Forum:

2

No because one user (web browser) can easily open 20 or more
simultaneous
connections to get a better web response.
A bot might be less prone to do the same but most connect at about 5
simultaneous connections.

Posted at Nginx Forum:

3

You should use limit_conn
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn
in conjunction with limit_req
http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req.
They are supplementing each other.

B. R.

On Fri, Jan 8, 2016 at 8:52 PM, djeyewater [email protected]

4

B.R. Wrote:

On Fri, Jan 8, 2016 at 8:52 PM, djeyewater

The limit_req will only be used for requests to dynamic pages, so
there
should only be one connection per user at a time.

But using my example config, which only allows 1 request per second per
user, then wouldn’t limit_conn be superfluous? You can’t have more than
one
connection for a single request, surely?
I’ll paste the config again here as it got missed off the previous
quote:

map $http_user_agent $single_user {
default $binary_remote_addr;
~PaperLiBot 1;
}

limit_req_zone $single_user zone=one:10m rate=1r/s;

limit_req zone=one burst=2;

Posted at Nginx Forum:

5

As you were said before, a client might create multiple connections.

nginx works per request on a connection. Several requests in parallel
from
different TCP connections (for the HTTP module) are not the same as
several
following requests on the same connection.

Limiting the number of requests applies to every connection in parallel,
so
the total requests rate per client is nbConn * nbReq / timeUnit.
limit_conn and limit_req work together in this formula.

Do not assume things that are not said. I personally did exactly that on
numerous occasions. :o)

B. R.

On Sat, Jan 9, 2016 at 2:44 PM, djeyewater [email protected]

6

itpp2012 Wrote:

No because one user (web browser) can easily open 20 or more
simultaneous connections to get a better web response.
A bot might be less prone to do the same but most connect at about 5
simultaneous connections.

The limit_req will only be used for requests to dynamic pages, so there
should only be one connection per user at a time.

Posted at Nginx Forum: