Possible issue with LRU and shared memory zones?

Sat Sep 21 22:37:40 UTC 2024

Hello!

On Sat, Sep 21, 2024 at 07:33:10PM +0200, Eirik Øverby via nginx wrote:

> TL;DR: Did almost what you suggested. Thank you!
> Bit more details below..

[...]

> > Another solution might be to improve configuration to ensure that
> > all limit_req nodes require equal or close amount of memory - this
> > is usually true with $binary_remote_addr being used for limit_req,
> > but certainly not for $request.  Trivial fix that comes in mind is
> > to use some hash, such as MD5, and limit the hash instead.  This
> > will ensure fixed size of limit_req allocation, and will
> > completely eliminate the problem.
> > 
> > With standard modules, this can be done with embedded Perl, such
> > as:
> > 
> >      perl_set $request_md5 'sub {
> >          use Digest::MD5 qw(md5);
> >          my $r = shift;
> >          return md5($r->variable("request"));
> >      }';
> > 
> > (Note though that Perl might not be the best solution for DoS
> > protection, as it implies noticeable overhead.)
> > 
> > With 3rd party modules, set_misc probably would be most
> > appropriate, such as with "set_md5 $request_md5 $request;".
> 
> Just before getting your email, I added this:
>   set_by_lua_block $request_md5 { return ngx.md5_bin(request) }
> since we're already using LUA.
> If you think set_md5 is faster, then I'll switch to that.

While set_md5 is probably slightly faster, I don't think there 
is a significant difference.  As long as you are already using the 
Lua module, there should be little to no difference.

-- 
Maxim Dounin
http://mdounin.ru/