Ratelimit

This vmod allows simple rate limiting logics to be implemented in vcl.

So far a function lastseen has been implemented, it takes IP, URL and a tag as input parameters (all of them can be blank if wanted - the function doesn't care about the arguments, it only cares about the duration since last time it was called with the same parameters) and returns the duration since those arguments were seen last time.  I'll add more complex functions in the future.The lastseen function may be used like this in VCL if one would limit the client to one miss for each fifth second:

import lastseen;
sub vcl_miss {
    if (lastseen.lastseen(client.ip, "", "miss") < 5s) {
        error 429 "enhance your calm and try again in some few secs";
    }
}
(...and one should probably add similar logics to vcl_pass and vcl_pipe...)
Status: 
In development
Licence: 
Varnish version supported: 
Commercial support: 
No

Comments

Hi!

This module is not yet listed as production ready. What do you think about when/if it will be? Or if it is already, just with some limitations?

I would need a somewhat simple rule: if client IP sends over x request in lets say 20 seconds timeframe to url ~ y, then throw some error, or something. Not that complex, but I need to get this working relatively fast.

So, should I try this module or some other method?

You get vcl syntax error if you try to use this example, or the one provided in the official Readme at https://github.com/tobixen/libvmod-ratelimit !

I wasted too much time trying to make it work. All I had to was to use:

 if (ratelimit.lastseen(client.ip, "", "miss") < 5s) {

Instead of:

 if (lastseen.lastseen(client.ip, "", "miss") < 5s) {

.. But in the end it was worth it, because it seems to work really nicely after I got this figured :)

 

PS: Please fix the readme and this page.

It doesnt seem to work after all :( 

What it does at the moment for me is "almost" there. It allows me to ratelimit an arbitrary url for x time, but no matter what I do, the url is limited globally for any requesters. But doing this per IP (which is pretty much the only thing that makes sense), doesnt work. It doesnt matter where I place it in vcl or with what parameters.

Should I just give up, or is there some missing piece of information?

This vmod was never completed - the 0.01 version never worked as intended and finishing it up never became a priority.  Today I've found that there exists a similar vmod already - see https://github.com/nand2/libvmod-throttle