0

I have a HTTP long polling endpoint that anyone can connect to for updates. The nature of the application requires the solution to be open, it cannot sit behind any form of authentication. The server accepts a maximum of 1000 connections, but currently there is nothing stoping one person from spamming all 1000 connections.

Is there any nginx configuration options that can be used to attempt to limit one connection per user?

S-K'
  • 1,281
  • 2
  • 11
  • 15
  • 1
    Have a look at [this question / answer](https://serverfault.com/questions/281581/why-are-nginx-and-lighttpd-not-affected-by-slowloris). You can [rate limit globally](https://www.nginx.com/blog/rate-limiting-nginx/), and you can [rate limit per IP](http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html), but if you have many people behind a corporate or ISP proxy you could block them all. – Tim Oct 08 '18 at 07:59
  • 1
    Probably in general a good idea to drop connections that stay open very long (aka slow loris). You could also **temporarily** ban abusive IPs. But you don't want to permaban them and you don't want to limit connections to one per IP because of NAT (there can be hundreds or even thousands of legitimate users sitting behind one public IP), this has led to hilarious things in the past, see https://techcrunch.com/2007/01/01/wikipedia-bans-qatar/ A work around would be if you used some kind of token system within your software so every installation has a unique ID that needs to be sent. – Broco Oct 08 '18 at 09:21

0 Answers0