davidjb
commented
2 years ago Authentication processes are application-specific and out-of-scope for this module so this type of question is something your app needs to handle. If there's a common performance issue you encounter that can be solved by configuring Nginx or Shibboleth in a specific way, a PRs would be relevant and welcome in this module's documentation and wiki.
That said, you could configure your Nginx environment to use limit_req to limit number of incoming requests but it would probably be better to structure your application such that shib_request is only hit once during a user's attempt to authenticate, rather than Shibboleth being consulted for all users on every request. For example, applications will commonly provide an auth endpoint (see OJS as an example) and that's the only URL that needs to be Shib-secured (rather than a whole domain or subdirectory). Once that endpoint is hit, Shib auth occurs & auth/identification gets handled by however the app is configured app (via session, cookie, token etc).
If your app requires attributes to be passed through on every request and has no other option for auth, then Nginx may be able to conditionally consult shib_request via an if directive, but it's not something Nginx openly endorses or is actively supported by this module. Alternatively, you may be able to tweak your Shibboleth FastCGI environment to handle more requests (e.g. run multiple instances of shibauthorizer & load balance).
Hi,
in some extreme situation i'm running into socket errors, because every anonymous user uses the shib_request directive
connect() to unix:/var/run/shibboleth/shibauthorizer.sock failed (11: Resource temporarily unavailable) while connecting to upstreamor similaris there an option in this module, where cookies are checked or something else that can lessen the impact of anonymous users on the shib sockets?
Cheers Ivo