Module ngx_mail_limit_conn_module
| Example Configuration Directives limit_conn limit_conn_dry_run limit_conn_log_level limit_conn_zone |
The ngx_mail_limit_conn_module module (1.29.0)
is used to limit the number of connections per the defined key,
in particular, the number of connections from an authenticated client.
Connections are limited after authentication, so the user name updated by the authentication server can be used as a key, as well as arbitrary authentication server response header fields.
Example Configuration
mail {
limit_conn_zone $remote_user zone=user:10m;
...
server {
...
limit_conn user 10;
}
}
Directives
| Syntax: |
limit_conn |
|---|---|
| Default: | — |
| Context: |
mail, server |
Sets the shared memory zone and the maximum allowed number of connections for a given key value. When this limit is exceeded, the server will return a protocol-specific error and close the connection. For example, the directives
limit_conn_zone $remote_user zone=user:10m;
server {
limit_conn user 5;
allow only at most 5 connections for an authenticated user at a time.
Note that not all email clients support the response codes being used, and might show password prompt to the user. Therefore, it is not recommended to configure limits which are low enough to be exceeded by well-behaving clients.
There could be several limit_conn directives.
For example, the following configuration will limit the number
of connections per user, and, at the same time, number of connections
for all users in the particular domain, as provided by the authentication
server:
limit_conn_zone $remote_user zone=user:10m;
limit_conn_zone $auth_http_domain zone=domain:10m;
server {
...
limit_conn user 5;
limit_conn domain 100;
}
These directives are inherited from the previous configuration level
if and only if there are no limit_conn directives
defined on the current level.
| Syntax: |
limit_conn_dry_run |
|---|---|
| Default: |
limit_conn_dry_run off; |
| Context: |
mail, server |
Enables the dry run mode. In this mode, the number of connections is not limited, however, in the shared memory zone, the number of excessive connections is accounted as usual.
| Syntax: |
limit_conn_log_level
|
|---|---|
| Default: |
limit_conn_log_level error; |
| Context: |
mail, server |
Sets the desired logging level for cases when the server limits the number of connections.
| Syntax: |
limit_conn_zone
|
|---|---|
| Default: | — |
| Context: |
mail |
Sets parameters for a shared memory zone that will keep states for various keys. In particular, the state includes the current number of connections.
The key can be one of the following:
$remote_addr- client address
$remote_user- user name supplied during authentication
$auth_http_name- arbitrary authentication server response header field; the last part of a variable name is the field name converted to lower case with dashes replaced by underscores
Connections with an empty key value are not accounted.
Usage example:
limit_conn_zone $remote_user zone=addr:10m;
Here, the user name serves as a key.
On 32-bit platforms a stored state occupies 32 bytes for keys up to 12 bytes, 64 bytes for keys from 13 to 44 bytes. On 64-bit platforms a stored state occupies 64 bytes for keys up to 28 bytes. One megabyte zone can keep about 32 thousand 32-byte states or about 16 thousand 64-byte states. If the zone storage is exhausted, the server will return an error and close the connection.