how to configure request rate limiting by Kerberos authenticated user?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to configure request rate limiting by Kerberos authenticated user?

Nica, George

Hi,

 

We are currently using "limit_req_zone $binary_remote_addr" for rate limiting. However, some of our users are connecting from more than one IP address, using clients running on computer grids.

We wanted to do request rate limiting by authenticated user (in addition to the existing one by $binary_remote_addr).

Is there any way we could do request rate limiting based on authenticated user?

We use Kerberos for authentication, using ngx_http_auth_spnego_module (https://github.com/stnoonan/spnego-http-auth-nginx-module).

We tried "limit_req_zone $remote_user zone=user:10m rate=20r/s;" and "limit_req zone=user burst=20;" but the key was apparently empty - all requests, from all users, were getting limited (all bunched under one key). However, interestingly, $remote_user is passed fine to the upstream using "proxy_set_header X-Forwarded-User $remote_user;"… Apparently $remote_user only works for request limiting when using basic authentication.

Thank you for any suggestions/pointers.

 

Best,

George

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how to configure request rate limiting by Kerberos authenticated user?

Maxim Dounin
Hello!

On Wed, Aug 05, 2020 at 09:21:42PM +0000, Nica, George wrote:

> We are currently using "limit_req_zone $binary_remote_addr" for rate limiting. However, some of our users are connecting from more than one IP address, using clients running on computer grids.
> We wanted to do request rate limiting by authenticated user (in addition to the existing one by $binary_remote_addr).
> Is there any way we could do request rate limiting based on authenticated user?
> We use Kerberos for authentication, using ngx_http_auth_spnego_module (https://github.com/stnoonan/spnego-http-auth-nginx-module).
> We tried "limit_req_zone $remote_user zone=user:10m rate=20r/s;" and "limit_req zone=user burst=20;" but the key was apparently empty - all requests, from all users, were getting limited (all bunched under one key). However, interestingly, $remote_user is passed fine to the upstream using "proxy_set_header X-Forwarded-User $remote_user;"... Apparently $remote_user only works for request limiting when using basic authentication.
> Thank you for any suggestions/pointers.

The $remote_user variable is extracted by nginx from the
Authorization header only when using Basic authentication.  The
SPNEGO auth module tries to make it work by providing a fake
"Authorization: Basic ..." header to nginx, but this won't work
for limit_req because rate limiting happens before access checks
(and so before the SPNEGO auth module adds the fake header).

If you want to limit requests based on the user name from the
SPNEGO auth module, the most obvious solution would be to do this
with additional proxying, so the user name will be known.

Alternative solutions include adding its own variable to the
module, so it can be used at any time (much like $remote_user when
using Basic authentication), or doing some clever redirect tricks
to convince nginx to do authentication first, and then to do rate
limiting (in another location, after a redirect).

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: how to configure request rate limiting by Kerberos authenticated user?

zakirenish
Thank you Maxim.
Adding an extra variable to the spnego auth module sounds intriguing, but
also challenging because; as you mention "rate limiting happens before
access checks" and this module mainly deals with access checks until now.
Sounds like an extra level of proxying is the way ahead for now.
It would be nice if Kerberos were supported directly by nginx. :)

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288976,288990#msg-288990

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx