limit new req/sec on squid to X per sec

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

limit new req/sec on squid to X per sec

--Ahmad--
Hello Folks ,


im looking for limiting TCP req/sec on squid to X speed .


say i have an instance running .


i want to limit it to 100 req/sec for “new connections “ not  just for concurrent connections .

so if connection is old or “ established “ its out of the game .
if the connection is new , all new should be limited to 100 req/sec .

i made search on all max_conn but it seems count “concurrent sessions “ even old +  new .

is there a way in squid to limit only new sessions ?


Thanks

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: limit new req/sec on squid to X per sec

Amos Jeffries
Administrator
On 27/11/19 6:31 pm, --Ahmad-- wrote:
> Hello Folks ,
>
>
> im looking for limiting TCP req/sec on squid to X speed .
>

TCP does not make requests.

>
> say i have an instance running .
>
>
> i want to limit it to 100 req/sec for “new connections “ not  just for concurrent connections .
>

req/sec is an HTTP term to Squid. It has nothing to do with "connections".

The part where you say "not just for concurrent connections" implies
that is something Squid does, does not match up with any existing Squid
behaviour or features. Squid does not limit req/sec for anything.

Squid can limit *bytes* per second. Or limit total connections a given
client has open concurrently.


> so if connection is old or “ established “ its out of the game .

In HTTP terms there is no such thing as a connection.

In TCP terms a connection is established as soon as it exists. If you
mean the TCP handshake process, that is a thing for firewall rules to
control. Squid cannot prevent SYN packets being sent to it.


If you mean something else, then please define this concept you have of
"new connection".


> if the connection is new , all new should be limited to 100 req/sec .
>
> i made search on all max_conn but it seems count “concurrent sessions “ even old +  new .
>
> is there a way in squid to limit only new sessions ?
>

Sessions are a very different thing to connections.

max_conn as its name should indicate sets the maximum connection count a
client can open *concurrently*.


Why exactly do you want this?

What problem will it solve?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: limit new req/sec on squid to X per sec

--Ahmad--
Hello Amos , Thank you for your response .

we have an APP behind squid http APP that will crash if # of (req/sec ) exceeded X .
it won’t crash about Already established session , it only care about new req/sec hitting squid .

I think its doable by iptables , but i really was hopping we can do it from squid level .

so you can imagine http req/sec or tcp req/sec same here as squid is being used only on http protocol .


Let me know your thoughts .


Thanks


> On Nov 27, 2019, at 2:57 PM, Amos Jeffries <[hidden email]> wrote:
>
> On 27/11/19 6:31 pm, --Ahmad-- wrote:
>> Hello Folks ,
>>
>>
>> im looking for limiting TCP req/sec on squid to X speed .
>>
>
> TCP does not make requests.
>
>>
>> say i have an instance running .
>>
>>
>> i want to limit it to 100 req/sec for “new connections “ not  just for concurrent connections .
>>
>
> req/sec is an HTTP term to Squid. It has nothing to do with "connections".
>
> The part where you say "not just for concurrent connections" implies
> that is something Squid does, does not match up with any existing Squid
> behaviour or features. Squid does not limit req/sec for anything.
>
> Squid can limit *bytes* per second. Or limit total connections a given
> client has open concurrently.
>
>
>> so if connection is old or “ established “ its out of the game .
>
> In HTTP terms there is no such thing as a connection.
>
> In TCP terms a connection is established as soon as it exists. If you
> mean the TCP handshake process, that is a thing for firewall rules to
> control. Squid cannot prevent SYN packets being sent to it.
>
>
> If you mean something else, then please define this concept you have of
> "new connection".
>
>
>> if the connection is new , all new should be limited to 100 req/sec .
>>
>> i made search on all max_conn but it seems count “concurrent sessions “ even old +  new .
>>
>> is there a way in squid to limit only new sessions ?
>>
>
> Sessions are a very different thing to connections.
>
> max_conn as its name should indicate sets the maximum connection count a
> client can open *concurrently*.
>
>
> Why exactly do you want this?
>
> What problem will it solve?
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: limit new req/sec on squid to X per sec

Amos Jeffries
Administrator
On 28/11/19 1:03 am, --Ahmad-- wrote:
> Hello Amos , Thank you for your response .
>
> we have an APP behind squid http APP that will crash if # of (req/sec ) exceeded X .
> it won’t crash about Already established session , it only care about new req/sec hitting squid .
>

That does not make sense. Any server (aka. app *behind* Squid) does not
see all requests *arriving* at Squid, only the ones Squid sends to it.


> I think its doable by iptables , but i really was hopping we can do it from squid level .
>

iptables would be right if you actually mean new TCP connections per second.

If you actually mean HTTP requests per second, then you would need
Squid. But since this is completely counter to the goals of a proxy
(*increasing* req/sec) you will need an external_acl_type helper to
delay requests.

In current Squid we have a helper called ext_delayer_acl which delays
each request by a fixed amount of time. You may be able to use that as
the basis of one that does what you need.


>
> so you can imagine http req/sec or tcp req/sec same here as squid is
being used only on http protocol .


Er, that does not make sense. HTTP protocol has infinite number of
requests per single TCP connection. There is no equivalence.



Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: limit new req/sec on squid to X per sec

--Ahmad--
Hi Amos , Thank you for your reply ,



We ll you correct corresponding to TCP/HTTP .

but my main concern is here its just POST/GET with single reply from our API server .

Its  just one TCP connection  one HTTP connection .


But yes i will work on other solutions since squid is not the right place for that .

Thanks a lot !


> On Nov 27, 2019, at 3:20 PM, Amos Jeffries <[hidden email]> wrote:
>
> On 28/11/19 1:03 am, --Ahmad-- wrote:
>> Hello Amos , Thank you for your response .
>>
>> we have an APP behind squid http APP that will crash if # of (req/sec ) exceeded X .
>> it won’t crash about Already established session , it only care about new req/sec hitting squid .
>>
>
> That does not make sense. Any server (aka. app *behind* Squid) does not
> see all requests *arriving* at Squid, only the ones Squid sends to it.
>
>
>> I think its doable by iptables , but i really was hopping we can do it from squid level .
>>
>
> iptables would be right if you actually mean new TCP connections per second.
>
> If you actually mean HTTP requests per second, then you would need
> Squid. But since this is completely counter to the goals of a proxy
> (*increasing* req/sec) you will need an external_acl_type helper to
> delay requests.
>
> In current Squid we have a helper called ext_delayer_acl which delays
> each request by a fixed amount of time. You may be able to use that as
> the basis of one that does what you need.
>
>
>>
>> so you can imagine http req/sec or tcp req/sec same here as squid is
> being used only on http protocol .
>
>
> Er, that does not make sense. HTTP protocol has infinite number of
> requests per single TCP connection. There is no equivalence.
>
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: limit new req/sec on squid to X per sec

Alex Rousskov
In reply to this post by --Ahmad--
On 11/27/19 12:31 AM, --Ahmad-- wrote:

> im looking for limiting TCP req/sec on squid to X speed .


There are many terminology problems on this thread, but just for the
record, you can use Squid external ACLs to limit:

1. the rate of incoming HTTP requests
2. the rate of outgoing HTTP requests
3. the acceptance rate of incoming HTTP/TCP connections
4. the establishment rate of outgoing HTTP/TCP connections

In all these cases, Squid would have to act (i.e. block or delay) the
requests or connections exceeding the configured rate _after_ parsing
the offending request[1,2,3 and may be 4] or even response[4]. This
delayed reaction may be enough for your use case of protecting a service
behind Squid, but it is a deadly limitation in many contexts (e.g., DoS
mitigation).

Until support for connection IDs is added to Squid (there is a project
for that), your external ACL would have to rely on TCP/IP addresses to
identify new HTTP/TCP connections (if needed).


Whether Squid is the right tool for the job depends on many factors. One
of the primary factors is whether you need HTTP-level information to
make some of the rate limiting decisions. Another factor is whether you
want to send a user an error response when they exceed the configured
rate. My guess is that cases 1 and 2 are best supported using Squid
while cases 3 and especially 4 may be best implemented using
TCP/IP-level tools such as iptables.


HTH,

Alex.

> say i have an instance running .
>
>
> i want to limit it to 100 req/sec for “new connections “ not  just for concurrent connections .
>
> so if connection is old or “ established “ its out of the game .
> if the connection is new , all new should be limited to 100 req/sec .
>
> i made search on all max_conn but it seems count “concurrent sessions “ even old +  new .
>
> is there a way in squid to limit only new sessions ?
>
>
> Thanks
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users