mholt
Time ban
Hi! First of all, thanks for this incredible project!
Sorry if this is already answered, but I couldn't find at issues or README.
I'd like to know if there's a way to apply a time penalty for the user triggering the rate limit. Example:
rate_limit {
zone xxxxx {
key {http.request.remote_ip}
events 20
window 10s
ban 1h # <--- example
}
}
This config would ban for 1h the user that sent more than 20 requests in a 10s window. Is there a way to achieve this?
What do you mean by "ban"? The rate limit already does that, yeah?
Make the window 1 hour instead of 10s.
Hi @mholt, thank you for your attention!
The difference between what I want and the suggestion of "make the window 1 hour instead" is the same as:
- Prevent the user to use the app for 1h if he made 20reqs in 10s.
- ... vs. prevent the user to use the app for 1h if he made 7200reqs in 1 hour.
(the number of requests are proportionally increased to meet the same time window)
I don't need to wait the attacker to make 7200 requests to know that he is trying to brute force my login page (just as an example) and prevent the 7201th.
If a sensitive route of my app received 20 requests in a window of 10 seconds from the same user, it is more than enough to block him, but not only for 10s, but at least 1h or even 1 day (the numbers are just to illustrate).
Hmmmm, I think I see. You want to basically return a "Rate limited" error for an hour for a client that violated a rate limit in 10 seconds.
So we'd have to remember this somehow for 1 hour after the 10s RL has been reached. We could either do that with goroutines, or, I wonder if there's a more clever, even more lightweight way to do it (potentially related to the ring buffer).