Varnish Cache Plus
Overview Installation Upgrading Upgrading to 6.0 Troubleshooting Changelog Changelog for 6.0.x Changes (Varnish Cache 4.1) Changes (Varnish Cache Plus 4.1) Features Backend SSL/TLS Client SSL/TLS termination MSE 3.0 MSE 2.0 Parallel ESI JSON Logging Last Byte Timeout Relocation TCP Only Probes VMODs ACL (aclplus) Accept Akamai Connector Body Access & Transformation (xbody) Cookie Plus (cookieplus) DeviceAtlas Dynamic backends (goto) Edgestash File Geolocation (geoip/mmdb) Header manipulation (header) HTTP communication (http) JSON parsing (json) Key value storage (kvstore) Least connections director (leastconn) MSE control (mse) Purge (purge/softpurge) Real-time status (vmod-rtstatus) Rewrite Session Strings (str) Synthetic backends (synthbackend) Total Encryption (crypto) Transfer rate limiting (tcp) URL Plus (urlplus) Utils Vsthrottle Tag-based invalidation (Ykey/Xkey)

Vsthrottle

Description

vmod_vsthrottle is a Varnish vmod for rate-limiting traffic on a single Varnish server. It offers a simple interface for throttling traffic on a per-key basis to a specific request rate.

Keys can be specified from any VCL string, e.g. based on client.ip, a specific cookie value, an API token, etc.

The request rate is specified as the number of requests permitted over a period. To keep things simple, this is passed as two separate parameters, ‘limit’ and ‘period’.

If an optional duration ‘block’ is specified, then access is denied altogether for that period of time after the rate limit is reached. This is a way to entirely turn away a particularly troublesome source of traffic for a while, rather than let them back in as soon as the rate slips back under the threshold.

This VMOD implements a token bucket algorithm. State associated with the token bucket for each key is stored in-memory using BSD’s red-black tree implementation.

Memory usage is around 100 bytes per key tracked.

Example VCL

vcl 4.0;
import vsthrottle;

backend default { .host = "192.0.2.11"; .port = "8080"; }

sub vcl_recv {
	# Varnish will set client.identity for you based on client IP.

	if (vsthrottle.is_denied(client.identity, 15, 10s, 30s)) {
		# Client has exceeded 15 reqs per 10s.
		# When this happens, block altogether for the next 30s.
		return (synth(429, "Too Many Requests"));
	}

	# There is a quota per API key that must be fulfilled.
	if (vsthrottle.is_denied("apikey:" + req.http.Key, 30, 60s)) {
			return (synth(429, "Too Many Requests"));
	}

	# Only allow a few POST/PUTs per client.
	if (req.method == "POST" || req.method == "PUT") {
		if (vsthrottle.is_denied("rw" + client.identity, 2, 10s)) {
			return (synth(429, "Too Many Requests"));
		}
	}
}

API

Limit rate for a given key

BOOL is_denied(STRING key, INT limit, DURATION period, DURATION block=0)

Arguments:

  • key: A unique identifier to define what is being throttled - more examples below
  • limit: How many requests in the specified period
  • period: The time period
  • block: a period to deny all access after meeting the threshold

This function (is_denied) can be used to rate limit the traffic for a specific key to a maximum of limit requests per period time. If block is > 0s, (0s by default), then always deny for key for that length of time after hitting the threshold. A token bucket is uniquely identified by the 4-tuple of its key, limit, period and block, so using the same key multiple places with different rules will create multiple token buckets.

Example

sub vcl_recv {
	if (vsthrottle.is_denied(client.identity, 15, 10s)) {
		# Client has exceeded 15 reqs per 10s
		return (synth(429, "Too Many Requests"));
	}

	# ...
}

Get number of remaining tokens for a bucket

INT remaining(STRING key, INT limit, DURATION period, DURATION block=0)

Arguments:

  • key: A unique identifier to define what is being throttled
  • limit: How many requests in the specified period
  • period: The time period
  • block: duration to block, defaults to 0s

This function returns the current number of tokens for a given token bucket. This can be used to create a response header to inform clients of their current quota.

Example

sub vcl_deliver {
	set resp.http.X-RateLimit-Remaining = vsthrottle.remaining(client.identity, 15, 10s);
}

Get time to a token is unblocked

DURATION blocked(STRING key, INT limit, DURATION period, DURATION block)

Arguments - key: A unique identifier to define what is being throttled - limit: How many requests in the specified period - period: The time period - block: duration to block

If the token bucket identified by the four parameters has been blocked by use of the block parameter in is_denied(), then this function will return the time remaining in the block. If it is not blocked, 0s is returned. This can be used to inform clients how long they will be locked out.

Example

sub vcl_deliver {
	set resp.http.Retry-After = vsthrottle.blocked(client.identity, 15, 10s, 30s);
}
Manuals
Varnish Live
Varnish Cloud
Varnish Cache Plus
Varnish High Availability
Varnish Administration Console
Varnish Custom Statistics
Varnish Broadcaster
Varnish WAF
News
Varnish Cache Plus 6.0.5r2
Varnish Administration Console 3.8.4
Varnish Cache Plus 6.0.5r1
Varnish Broadcaster 1.2.3
Varnish HTTP Workspace information leak vulnerability
News archive