From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C86B31FF16B for ; Fri, 21 Nov 2025 17:32:45 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CD2F127F7F; Fri, 21 Nov 2025 17:32:51 +0100 (CET) Message-ID: <30edf196-bff2-4ecc-89fa-4d51f5c9e631@proxmox.com> Date: Fri, 21 Nov 2025 17:32:48 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox Backup Server development discussion , Hannes Laimer References: <20251121135043.97142-1-h.laimer@proxmox.com> Content-Language: en-US, de-DE From: Christian Ebner In-Reply-To: <20251121135043.97142-1-h.laimer@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763742736654 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.048 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} v5 0/6] add user specific rate-limits X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On 11/21/25 2:50 PM, Hannes Laimer wrote: > When a connection is accepted we create a shared tag handle for its > rate-limited stream. The REST layer clears that handle before every > request. Once a request authenticates successfully, we push a > User(...) tag with the auth ID. Failed or unauthenticated requests > leave the tag list empty. RateLimitedStream watches that handle and > forces an immediate limiter refresh whenever the tag set changes so > user-specific throttles take effect right away. > > Currently rules with a user specified take priority over others. So: > user > IP only > neither, in case two rules match. > > If users and networks are specified, the rule only applies if both > match. So, any of the specified user connect from any of the specified > network. > > And all of this ofc still only if the given timeframe matches. > > I did also test this with a basic nginx reverse proxy configured with > `keepalive 32`, I didn't run into problems using this setup. Gave version 5 of the patches another spin. Changes are nice, adding the dirty flag and forcing updates based on that is definitely better than comparing and cloning the tags. User specific rate limits are still applied, also when going through the HAProxy setup I already tested with last time. Reviewed-by: Christian Ebner Tested-by: Christian Ebner _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel