From noelle at uni-wuppertal.de  Tue Oct 14 08:30:42 2025
From: noelle at uni-wuppertal.de (=?UTF-8?Q?Christian_N=C3=B6lle?=)
Date: Tue, 14 Oct 2025 10:30:42 +0200
Subject: Considerations regarding throtteling
Message-ID: <29aca505-cca9-4ac8-b999-d1fa931ab4d5@uni-wuppertal.de>

Hello everyone,

I would like to hear your opinion on how you would approach this problem.

We have two Varnish servers running in a load-balancing cluster that 
cache TYPO3-based websites. We keep having the problem that script 
kiddies like to flood the server with requests and probes for vulnerable 
web applications.

Basically, a WAF is connected upstream of the servers, but every now and 
then something gets through that isn't detected. This sometimes puts 
stress on our backend servers, so I'm thinking about how best to deal 
with it. Mod vsthrottle came to mind, i.e. slowing everything down once 
a certain request rate is reached. But of course, I don't want to affect 
?real? requests. What comes to mind for you?

Best regards!

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5070 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://www.varnish-cache.org/lists/pipermail/vinyl-misc/attachments/20251014/0b5b5e51/attachment.bin>

From guillaume.quintard at gmail.com  Tue Oct 21 15:26:30 2025
From: guillaume.quintard at gmail.com (Guillaume Quintard)
Date: Tue, 21 Oct 2025 08:26:30 -0700
Subject: Considerations regarding throtteling
In-Reply-To: <29aca505-cca9-4ac8-b999-d1fa931ab4d5@uni-wuppertal.de>
References: <29aca505-cca9-4ac8-b999-d1fa931ab4d5@uni-wuppertal.de>
Message-ID: <CAOrPormRFTmd0hJ4q+_c0PcvVkpEBZh8-tdvyhW44na7iVinUA@mail.gmail.com>

Hi Christian,

Sorry for the delay, somehow gmail marked your email as spam :-(

So, vmod-vsthrottle would be my first instinct, or something a bit more
refined, like
https://github.com/varnish/toolbox/tree/main/vcls/redis_throttle.

As for not wanting to block real requests, I think you are always going to
have that classification issue, but maybe you can throttle only on the
backend side to limit disturbance?

-- 
Guillaume Quintard


On Tue, Oct 14, 2025 at 1:32?AM Christian N?lle <noelle at uni-wuppertal.de>
wrote:

> Hello everyone,
>
> I would like to hear your opinion on how you would approach this problem.
>
> We have two Varnish servers running in a load-balancing cluster that
> cache TYPO3-based websites. We keep having the problem that script
> kiddies like to flood the server with requests and probes for vulnerable
> web applications.
>
> Basically, a WAF is connected upstream of the servers, but every now and
> then something gets through that isn't detected. This sometimes puts
> stress on our backend servers, so I'm thinking about how best to deal
> with it. Mod vsthrottle came to mind, i.e. slowing everything down once
> a certain request rate is reached. But of course, I don't want to affect
> ?real? requests. What comes to mind for you?
>
> Best regards!
>
> Christian
> _______________________________________________
> varnish-misc mailing list
> varnish-misc at varnish-cache.org
> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/vinyl-misc/attachments/20251021/c5144f06/attachment.html>