Rate limiting in ssl_certificat_by_lua

95 views
Skip to first unread message

Abhin Balur

unread,
Jan 27, 2021, 11:13:43 AM1/27/21
to openresty-en

Hi,
Ju
st wanted to know if there are any knows issues to using the
inside the ssl_certificat_by_lua block.
Also is it possible?

Regards

ecc256

unread,
Jan 27, 2021, 12:02:58 PM1/27/21
to openresty-en
I don't have exact answer to your question.

I do use both rate-limiting-nginx and ssl_certificat_by_lua
Works fine, except Allowlisting part.
I.e. I cannot remove limit from IPs I trust...
IMO, Rate Limiting does kick-in before ssl_certificat_by_lua

I wonder if anybody else use allowlist and can share troubleshooting tips.

ecc256

unread,
Jan 27, 2021, 12:55:39 PM1/27/21
to openresty-en
>I wonder if anybody else use allowlist and can share troubleshooting tips.
Sorted it out.
I had allowlist set in 2 places and 2nd was owerwrithing 1st!
Noticed what's wrong right after I wrote above message, as usual...

Abhin Balur

unread,
Jan 27, 2021, 1:01:15 PM1/27/21
to openre...@googlegroups.com
Hi,

Nginx rate limiting(https://www.nginx.com/blog/rate-limiting-nginx)  that you pointed out kicks in after getting the HTTPs Request and reading of the headers, so it kicks in after the ssl handshake.
I want to rate limit before the ssl handshake.

Here for the rate limiting  lua module  (https://github.com/openresty/lua-resty-limit-traffic#description ) they explicitly say it can be plugged in before the ssl handshake.
Just wanted to know if the changes will go inside the ssl_certificate_by_lua _block or any pointers on how to get it done.

Regards
Abhin

--
You received this message because you are subscribed to a topic in the Google Groups "openresty-en" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openresty-en/e7JTg9vLngg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openresty-en...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openresty-en/28e622cf-07bc-4334-af63-93f8d77e18d5n%40googlegroups.com.

ecc256

unread,
Jan 27, 2021, 1:10:37 PM1/27/21
to openresty-en
>Nginx rate limiting(https://www.nginx.com/blog/rate-limiting-nginx)  that you pointed out kicks in after getting the HTTPs Request and reading of the headers, so it kicks in after the ssl handshake.
I guess, you are right, since rate-limiting-nginx can use any header value, not necessarily remote_addr!
And to get headers ssl handshake should be done already, obviously.

>Just wanted to know if the changes will go inside the ssl_certificate_by_lua _block or any pointers on how to get it done.
Just try it on the test server.
And if you run into any problems post your setup and exact behavior you observe here.
I’ll be happy to help, if I can!
Reply all
Reply to author
Forward
0 new messages