You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "rukolahasser (via GitHub)" <gi...@apache.org> on 2023/04/18 09:38:49 UTC
[GitHub] [apisix] rukolahasser opened a new issue, #9328: help request: How do I use forward-auth and limit-count plugins together?
rukolahasser opened a new issue, #9328:
URL: https://github.com/apache/apisix/issues/9328
### Description
Hello,
I'd like to use `forward-auth` and `limit-count` plugins together, I wonder if there is an example of doing that.
So If I authenticate requests in an external service, what should I return to let `limit-count` know the `consumer` associated with the request?
### Environment
- APISIX version (run `apisix version`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1654925865
> But how does APISIX know about consumers? There is no consumers in the request headers
I am sorry, I meant to say:
That should still work as the forward auth plugin does not modify the ip address -OR- the $remote_addr nginx variable remains unchanged.
P.S: limit-count does the rate-limiting based on $remote_add ngx variable which is the default value for the `key`. From the documentation, `limit-count` key means:
> User specified key to base the request limiting on. If the key_type attribute is set to constant, the key will be treated as a constant value. If the key_type attribute is set to var, the key will be treated as a name of variable, like remote_addr or consumer_name. If the key_type is set to var_combination, the key will be a combination of variables, like $remote_addr $consumer_name. If the value of the key is empty, remote_addr will be set as the default key.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] rukolahasser commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "rukolahasser (via GitHub)" <gi...@apache.org>.
rukolahasser commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1522639835
> Hi @rukolahasser , Although I don't quite understand you needs, but if you want `limit-count` get executed before `forward-auth`, this document may useful: https://apisix.apache.org/docs/apisix/terminology/plugin/#custom-plugin-priority
If I use `forward-auth` to validate api keys, how do i use `limit-count` to limit api calls per user?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] rukolahasser commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "rukolahasser (via GitHub)" <gi...@apache.org>.
rukolahasser commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1514478068
> whoops, my bad. I was in the notion that `limit-count` gets executed before `forward-auth`.
do you happen to know how to use them together?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1528942141
That should still work as the forward auth plugin does not modify the consumer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1654965551
@rukolahasser, if you want to do rate-limiting based on the username. You can add the username to the request as a header and then do rate limiting based on that header value (by setting the rate-limiting key to the given header value) like so:
Then, you can set the `key` for rate limiting based on that variable like so:
```bash
curl -i http://127.0.0.1:9180/apisix/admin/routes/1 \
-H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"plugins": {
"limit-count": {
"count": 52,
"time_window": 60,
"key": "http_nameofthevarthatsetstheusername" <--- accessing the client request header
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'
```
Accessing custom client request header in nginx using an nginx var: https://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] rukolahasser commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "rukolahasser (via GitHub)" <gi...@apache.org>.
rukolahasser commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1529955555
> That should still work as the forward auth plugin does not modify the consumer.
But how does APISIX know about consumers? There is no consumers in the request headers
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1527322912
@rukolahasser, The limit-count plugin will work as expected with the forward-auth plugin; it will limit the API calls per users appropriately instead of limiting requests from the authentication server.
> So if a request goes through `forward-auth` and reaches `limit-count`
You are right, the request goes through the `forward-auth` plugin but `forward-auth` does not change it's IP address. So in `limit-count's` POV, the request directly comes from the user. Hope I made sense.
I can confidently say this as I used the `real-ip` plugin to change the client's IP address. And I added a line of log to check the IP address when the request reaches `limit-count`. The client IP was unchanged.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1512918998
Did you try it to see if it matches your expectation?
> what should I return to let limit-count know the consumer associated with the request?
1. I do not understand clearly. When using the`forward-auth` plugin, you do not have control over what it returns; the response is dependent on the type of request you send and the authentication server.
2. `limit-count` plugin gets executed before the `forward-auth` plugin as it has a higher priority. So you don't need to do anything to let `limit-count` know the correct consumer.
https://github.com/apache/apisix/blob/abcb49e019e7bbd5ceb7cba2c71ef4c4119bdc45/conf/config-default.yaml#L454
https://github.com/apache/apisix/blob/abcb49e019e7bbd5ceb7cba2c71ef4c4119bdc45/conf/config-default.yaml#L443
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: How do I use forward-auth and limit-count plugins together? [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] closed issue #9328: help request: How do I use forward-auth and limit-count plugins together?
URL: https://github.com/apache/apisix/issues/9328
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] rukolahasser commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "rukolahasser (via GitHub)" <gi...@apache.org>.
rukolahasser commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1512934696
> Did you try it to see if it matches your expectation?
>
> > what should I return to let limit-count know the consumer associated with the request?
>
> 1. I do not understand clearly. When using the`forward-auth` plugin, you do not have control over what it returns; the response is dependent on the type of request you send and the authentication server.
> 2. `limit-count` plugin gets executed before the `forward-auth` plugin as it has a higher priority. So you don't need to do anything to let `limit-count` know the correct consumer.
>
> https://github.com/apache/apisix/blob/abcb49e019e7bbd5ceb7cba2c71ef4c4119bdc45/conf/config-default.yaml#L454
>
> https://github.com/apache/apisix/blob/abcb49e019e7bbd5ceb7cba2c71ef4c4119bdc45/conf/config-default.yaml#L443
Based on the `config-default.yaml`, `forward-auth` should have a higher priority, so it is executed before `limit-count`.
So if a request goes through `forward-auth` and reaches `limit-count`, how does `limit-count` know what consumer this request belongs to?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] rukolahasser commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "rukolahasser (via GitHub)" <gi...@apache.org>.
rukolahasser commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1528825976
> @rukolahasser, The limit-count plugin will work as expected with the forward-auth plugin; it will limit the API calls per users appropriately instead of limiting requests from the authentication server.
>
> > So if a request goes through `forward-auth` and reaches `limit-count`
>
> You are right, the request goes through the `forward-auth` plugin but `forward-auth` does not change it's IP address. So in `limit-count's` POV, the request directly comes from the user. Hope I made sense.
>
> I can confidently say this as I used the `real-ip` plugin to change the client's IP address. And I added a line of log to check the IP address when the request reaches `limit-count`. The client IP was unchanged.
Thanks for your reply. What if i wanna limit users by user names instead of IPs?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] circlelychen commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "circlelychen (via GitHub)" <gi...@apache.org>.
circlelychen commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1646888395
> But how does APISIX know about consumers? There is no consumers in the request headers
It performs the prometheus metrics without consumer information as well. Is there any advises?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: How do I use forward-auth and limit-count plugins together? [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1742734265
Due to lack of the reporter's response this issue has been labeled with "no response". It will be close in 3 days if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] jiangfucheng commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "jiangfucheng (via GitHub)" <gi...@apache.org>.
jiangfucheng commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1518934310
Hi @rukolahasser , Although I don't quite understand you needs, but if you want `limit-count` get executed before `forward-auth`, this document may useful: https://apisix.apache.org/docs/apisix/terminology/plugin/#custom-plugin-priority
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1512947562
whoops, my bad. I was in the notion that `limit-count` gets executed before `forward-auth`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1655048127
@rukolahasser, by the way are you talking about consumer username or the application username (for example github username)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9328: help request: How do I use forward-auth and limit-count plugins together?
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1654926880
> It performs the prometheus metrics without consumer information as well. Is there any advices?
I am sorry I didn't understand your question.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [I] help request: How do I use forward-auth and limit-count plugins together? [apisix]
Posted by "github-actions[bot] (via GitHub)" <gi...@apache.org>.
github-actions[bot] commented on issue #9328:
URL: https://github.com/apache/apisix/issues/9328#issuecomment-1750325727
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org