From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 2950B1FF15E for ; Mon, 10 Nov 2025 10:03:18 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CD52310471; Mon, 10 Nov 2025 10:04:02 +0100 (CET) Message-ID: <88f55a25-b507-49f4-84cd-6a39625b73fc@proxmox.com> Date: Mon, 10 Nov 2025 10:03:28 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox Backup Server development discussion , Hannes Laimer References: <20251107132329.42965-1-h.laimer@proxmox.com> Content-Language: en-US, de-DE From: Christian Ebner In-Reply-To: <20251107132329.42965-1-h.laimer@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762765387164 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.048 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} v2 0/6] add user specific rate-limits X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On 11/7/25 2:23 PM, Hannes Laimer wrote: > When a connection is accepted we create a shared tag handle for its > rate-limited stream. The REST layer clears that handle before every > request. Once a request authenticates successfully, we push a > User(...) tag with the auth ID. Failed or unauthenticated requests > leave the tag list empty. RateLimitedStream watches that handle and > forces an immediate limiter refresh whenever the tag set changes so > user-specific throttles take effect right away. > > Currently rules with a user specified take priority over others. So: > user > IP only > neither, in case two rules match. > > If users and networks are specified, the rule only applies if both > match. So, Any of the specified user connect from any of the specified > network. > > And all of this ofc still only if the given timeframe matches. > > v2, thanks @Chris!: > - fix problem with tag staying on connection after request finishes, > and with when it would be set in first place > - use a more generic tag-list on the connection, this is more general > - tag is now an enum, like chris suggested, this should make it > somewhat easy to extend if we at some point should want to In general this series looks good already, but one thing which IMO should be checked is how this behaves with reverse proxies which might use connection pools to reuse TCP connections. Did you already do some testing with respect to that? _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel