From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 1E5A81FF179 for ; Wed, 12 Nov 2025 11:08:03 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C67F21D40C; Wed, 12 Nov 2025 11:08:49 +0100 (CET) Message-ID: Date: Wed, 12 Nov 2025 11:08:16 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Proxmox Backup Server development discussion , Hannes Laimer References: <20251110134255.69132-1-h.laimer@proxmox.com> Content-Language: en-US, de-DE From: Christian Ebner In-Reply-To: <20251110134255.69132-1-h.laimer@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1762942072450 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.048 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox{, -backup} v3 0/6] add user specific rate-limits X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" On 11/10/25 2:43 PM, Hannes Laimer wrote: > When a connection is accepted we create a shared tag handle for its > rate-limited stream. The REST layer clears that handle before every > request. Once a request authenticates successfully, we push a > User(...) tag with the auth ID. Failed or unauthenticated requests > leave the tag list empty. RateLimitedStream watches that handle and > forces an immediate limiter refresh whenever the tag set changes so > user-specific throttles take effect right away. > > Currently rules with a user specified take priority over others. So: > user > IP only > neither, in case two rules match. > > If users and networks are specified, the rule only applies if both > match. So, Any of the specified user connect from any of the specified > network. > > And all of this ofc still only if the given timeframe matches. > > I did also test this with a basic nginx reverse proxy configured with > `keepalive 32`, I didn't run into problems using this setup. > > v3, thanks @Chris!: > - simplify code by passing the taglist to the callback, as sugested by > Chris > - mention potential future use-case in commit message > - created documented type for 3-tuple and inlined var for printing > > v2, thanks @Chris!: > - fix problem with tag staying on connection after request finishes, > and with when it would be set in first place > - use a more generic tag-list on the connection, this is more general > - tag is now an enum, like chris suggested, this should make it > somewhat easy to extend if we at some point should want to > - tested per-user rate limits are set - tested rate limits are applied for all users defined in the ruleset - tested rate limits are honored with reverse proxy (haproxy with `http-reuse always`) - checked correct per-user rules are applied when connections go trough proxy With all the comments addressed, please consider: Reviewed-by: Christian Ebner Tested-by: Christian Ebner _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel