Rate limit requests per user

[juliushaertl]

Users are currently able to issue requests as much as they wish, which can lead to situations where an application server is running out of available php processes just triggered by individual users. While rate limiting could be put in place on the load balancer/webserver side, it may not be able to limit properly (based on the ip) if there are multiple users from the same ip.

It would be good to have some kind of rate limiting per user or session that can be enforced by Nextcloud in order to avoid such scenarios. The PHP process could then respond as early as possible with a 429 http response.

Other than rate limiting we could also consider limiting concurrent request, but may be harder to implement.

As the web interface might issue quite a lot of parallel requests it might be needed to have a relatively high limit (e.g. 20), but for heavy operations as WebDAV we could potentially have a separate limit of 5.

Partly related to https://github.com/nextcloud/server/pull/18210

cc @nextcloud/server-backend

[solracsf]

While rate limiting could be put in place on the load balancer/webserver side, it may not be able to limit properly (based on the ip) if there are multiple users from the same ip.

Rate limiting can be implemented on the load balancer/webserver not only by IP but also by Host, which serves this purpose. We've implemented it.

This seems a good adition to Nextcloud, tough.

[juliushaertl]

@solracsf Could you share some more details on how you do that? The host header should always be the same as far as I see.

[solracsf]

We've implemented a rate limiting by extracting some cookie params from the session request on a Leaky Bucket algo. We apply it not only for Nextcloud but also for other projects; only condition is to have in the cookie some static/per user params, so we can apply per user/session limits.