What does Rate Limiting by SNI key means?

batoo · 08-26-2023 02:16 AM

Google Cloud Armor rate limiting can specify an SNI key for identifying the clients.

Let's imagine I have a load balancer with 3 SSL certificates:

SSL1: test.com, www.test.com
SSL2: test2.com, www.test2.com, test3.com, www.test3.com
SSL3: test4.com, *.test4.com

If we enable the 10 requests per 60 seconds rate-limiting with SNI as a key, what does that mean in real life?

Possible answers:

The key is unique e.g. test.com can make 10 req/60 sec and www.test.com can make another 10 req/60sec
The key is merged: e.g. both, test.com and www.test.com can make 10 req/60 sec.

If the key is merged but SSL3 is serving 1000 subdomains via the wildcard SNI, how this will work in real life knowing that Google is truncating the SNI key to the first 128 bytes?

If the key is not merged, does that means every subdomain from the SSL wildcard will have unique rate limiting key?

Don_Tejada

Hello @batoo

SNI Keys for Rate limiting will only serve as Client Identifiers. Meaning rate based bans will only be applied to clients whose SNI matches the SNI Key specified.

For example, if an SNI Key is set to test4.com, and a client with a matching SNI initiates a connection, rate based ban would be applied for that client alone. SNI Keys are values that you specify which are unique. You can look at this example.

batoo

Docs:

"whose SNI matches the SNI Key specified"...

How do you specify an SNI key value, can you please share a simple CLI command?