vmod throttle xmlrpc protection does not work as expected

georgi.int at gmail.com georgi.int at gmail.com
Fri Apr 15 11:24:48 CEST 2016

btw the following configuration with ip and client.ip instead does not 
work too:

if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("ip:" + client.ip, "10req/s") > 0s) {
error 429 "Calm down";

On 04/15/2016 10:33 AM, georgi.int at gmail.com wrote:
> I am using the following implementation to limit the attack to 
> wp-login.php and xmlrpc.php, but when I test with apache benchmark (or 
> there is an attack) from 1000 concurrent requests with the following 
> configuration only 5 requests are failed from 1000 :
> if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
>    if(throttle.is_allowed("host:" + req.http.host, "10req/s") > 0s) {
>    error 429 "Calm down";
>    shield.conn_reset();
> }
> }
> Is this a normal behavior and why so little number of requests is 
> blocked? Is there an info that describe how these requests are handled 
> and solution of this problem? If I set the throttle to 1 requests it 
> works but this is super stupid and I can't understand why on 10 
> requests/s limit the throttle does nothing. If I can't solve this 
> issue I should change the varnish with something other so I will be 
> really thankfull if you help with this.

More information about the varnish-misc mailing list