Thanks Zexuan and Ming for your response. I learnt from your response that delay is better configured to average request time.
I was trying to understand whether it makes sense to add uri into the key list. Since when we want to limit the concurrency of an endpoint, we don't want to restrict route configuration to never use wildcards. For example, if you configure limit-conn in a route on /foo/*, we don't want /foo/bar1 and /foo/bar2 to share the same limit-conn. It's better to separate their limit count by both route id and request uri. On Fri, Sep 10, 2021 at 10:50 AM Ming Wen <wenm...@apache.org> wrote: > > Hi, Li, > Both of these are great questions, let me try to answer the first one. > > > What is the security concern when customizing the key? > > For example, I want to use uri as the key to prevent an expensive > > endpoint from being exhausted. Is there any security concern to use > > uri as the key? Is it possible to have many requests with different > > uri to exhaust my memory? > > First of all, it is clear that there will be no memory leaks and no data > security issues such as data leaks. > The reason why the key is restricted here is to *prevent user* *abuse*. > In fact, the `key` here can be any nginx variable. But being too flexible > will bring side effects: > if a user specifies a non-existent nginx variable, it cannot be detected > during API setting and schema verification, and can only be discovered at > runtime, which is a hidden danger of development. > > Thanks, > Ming Wen, Apache APISIX PMC Chair > Twitter: _WenMing > > > Li Yang <yan...@apache.org> 于2021年9月9日周四 下午5:48写道: > > > Hey mates, > > > > Apache APISIX has an official plugin limit-conn, and from the document > > there is one line stated: "Key can be customized by the user, only > > need to modify a line of code of the plug-in to complete. It is a > > security consideration that is not open in the plugin." > > > > What is the security concern when customizing the key? > > For example, I want to use uri as the key to prevent an expensive > > endpoint from being exhausted. Is there any security concern to use > > uri as the key? Is it possible to have many requests with different > > uri to exhaust my memory? > > > > Another question is about the delay, from the code, delay is > > implemented with a sleep > > > > https://github.com/apache/apisix/blob/master/apisix/plugins/limit-conn/init.lua#L78 > > , > > will that cause a connection being occupied during the delay? So if we > > configure a delay too big, eg. 30 seconds, will it cause many > > connections to be occupied? Will it cause stability problems? > >
