libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] MHD_OPTION_PER_IP_CONNECTION_LIMIT behaviour behind


From: Evgeny Grin
Subject: Re: [libmicrohttpd] MHD_OPTION_PER_IP_CONNECTION_LIMIT behaviour behind a reverse proxy
Date: Tue, 8 Feb 2022 13:32:12 +0300
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.1

Hi Kelson,

On the one hand this is something that could be implemented in MHD.

On the other hand, the value of such implementation is questionable.
The per-ip limit was implemented to avoid getting of all (or too much of) servers resources for serving a single client (or just a few clients). When clients are connected directly, we MHD can get information about the client's IP from the sockets, so requests above the limits are just refused. In situation when the information must be extracted from the headers, MHD should:
* accept the new connection (the new socket),
* allocate memory and other resources (start the new thread in thread-per-connection mode),
* receive the data on the new connection,
* parse received data to find end of the request headers,
* parse headers to find "X-Forwarded-For" header (or headers if reverse-proxies are chained, then find the right one header),
* parse "X-Forwarded-For" value.
Such processing already took a lot of resources. If the response is small, then it would be better to send the response anyway to save resources of processing repeated request from the same client. And this is something that can be easily implemented in the application logic. You should just return "MHD_NO" when access handler callback is called. It would be exactly the same effect: accept connection, parse headers, close connection.

I don't see any noticeable advantage of implementing it at the MHD level.
Ideally it should be implemented at reverse proxy level, then you would save resources on rejected connections. If you implement it on MHD level, that resource usage can be even higher compared to processing without per-ip limiting, because clients will repeat requests (and repeated request would need to be accepted and parsed before rejected).

--
Evgeny (AKA Karlson2k)


-------- Original Message --------
From: Emmanuel Engelhart <kelson@kiwix.org>
Sent: Sunday, February 6, 2022, 16:58 UTC+3
Subject: [libmicrohttpd] MHD_OPTION_PER_IP_CONNECTION_LIMIT behaviour behind a reverse proxy

On 06.02.22 12:39, Christian Grothoff wrote:
You're misreading the code, "5" is the numeric value of the option in
the enum, not the actual default limit. The default limit is indeed zero
as per the documentation (and a limit for zero means 'unlimited').

Thank you for the clarification. It makes sense.

I think your suggestion to check against X-Forwarded-For is interesting,
but I wonder if in that case it would not be better/simpler to simply
let the reverse proxy do this check? At least I expected that to be the
case, and I think _if_ we implemented an X-Forwarded-For based check,
we'd need a new option, new data structure, and it'd also imply a
(minor) additional performance hit. So really the question is: if you're
behind a reverse proxy, why not configure the reverse proxy to limit the
number of connections per IP?

If this is not doable at microhttpd level, we will have to do it in the reverse-proxy indeed. I just though that because there is already an option in microhttpd, and because this is not unusual for Web apps to take care of this case, I would put a message about it.

My personal opinion is that it would be neat and straight forward to have microhttpd just doing the job. If you agree on the principle, we could even maybe propose a patch. But, there is for sure good arguments for both include and not include such a feature. Therefore, whatever your decision on it, I'm sure I will understand it.

Kelson

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]