I am currently managing a website where users are sometime really hasty about new content, and refresh the page intensely leading to a high server load and eventually a crash.
I optimized the website as much as I reasonably could, adding server side caching, UX modification, raising server capacity etc… but it is still not enough.
I then discovered ngx_http_limit_req_module which is doing the work pretty well. There is one problem though: users are highly likely to browse the website from one particular place, which means a same IP address. And in that case, even with a civilized browsing behavior, the limit rate will be triggered.
If possible, I would like to identify each user specifically so the request rate is only triggered when a single user refreshes the page too much, but not when a lot of users using the same IP browse the site normally.
The syntax of the limit_req_zone directive is as follow:
limit_req_zone key zone=name:size rate=rate;
I am currently using something like this:
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
The module documentation also add these informations:
The key can contain text, variables, and their combination. Requests
with an empty key value are not accounted.
And
Prior to version 1.7.6, a key could contain exactly one variable.
I have little to no experience with Nginx but it seems there could be some solution.
Hence my question: is there a variable than could possibly identify unique users, even if they share the same IP address ?
Thank you very much for your help !
Best Answer
I finally found ngx_http_userid_module which allows Nginx to identify a user with a cookie.
After configuring this module, I just needed to change the limit_req_zone directive like this:
Note: If this module is not already present with your Nginx installation, you will need to recompile it with the proper parameters. This can be difficult if you're not familiar with this process.