Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#1133 closed defect (fixed)

ngx_http_limit_req_module . When zone storage is exhausted, all the request woud not be limited.

Reported by: antonyhong@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.10.x
Keywords: limit_req_zone Cc:
uname -a:
nginx -V: nginx version: nginx/1.10.2
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --c
onf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log
--error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-pat
h=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp
-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-pat
h=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-
8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip
_module --with-http_addition_module --with-http_sub_module --with-http_dav_module
--with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --wit
h-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_modul
e --with-http_random_index_module --with-http_secure_link_module --with-http_slice
_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --w
ith-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream
_ssl_module --with-ipv6

Description

Hi,I want to validated 'If the zone storage is exhausted, the server will return the 503 (Service Temporarily Unavailable) error to all further requests.'
which is described in http://nginx.org/en/docs/http/ngx_http_limit_req_module.html.

By failed! And the appearance show when zone storage is exhausted, all the request woud not be limited. Which may be a bug.

In order to prove that, I set my nginx.conf like :

http{
   log_format  main  '$remote_addr - [$time_local] [$msec] $status $http_x_forwarded_for ';                      

  limit_req_zone $http_x_forwarded_for zone=limitByIP:'''50k''' rate='''1r/m''';
  ...
  server{
   ...
   limit_req zone=limitByIP ;
   ...
  }  
}

In my config the key is $http_x_forwarded_for.
The rate is one request per min.
The shared memory zone is 50k.

My testing and results :

【Test1】Ip count:9 result:all request pase.
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.720] 200 10.0.0.2
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.736] 200 10.0.0.3
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.736] 200 10.0.0.4
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.736] 200 10.0.0.5
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.736] 200 10.0.0.6
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.736] 200 10.0.0.7
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.751] 200 10.0.0.8
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.751] 200 10.0.0.9
10.18.20.74 - [18/Nov/2016:15:32:09 +0800] [1479454329.767] 200 10.0.0.10

【Test2】Ip count:9 result:due to the rate is 1r/m all the reques is limited,and return 503.
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.360] 503 10.0.0.2
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.360] 503 10.0.0.3
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.375] 503 10.0.0.4
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.391] 503 10.0.0.5
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.407] 503 10.0.0.6
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.407] 503 10.0.0.7
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.438] 503 10.0.0.8
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.438] 503 10.0.0.9
10.18.20.74 - [18/Nov/2016:15:32:10 +0800] [1479454330.453] 503 10.0.0.10

【Test3】Ip count:10 result:nomal ,I add one ip 10.0.0.11
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.197] 503 10.0.0.2
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.197] 503 10.0.0.3
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.213] 503 10.0.0.4
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.229] 503 10.0.0.5
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.229] 503 10.0.0.6
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.260] 503 10.0.0.7
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.260] 503 10.0.0.8
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.275] 503 10.0.0.9
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.291] 503 10.0.0.10
10.18.20.74 - [18/Nov/2016:15:32:14 +0800] [1479454334.291] 200 10.0.0.11

【Test4】Ip count:10 result:all the request is pass.that make me confused.
10.18.20.74 - [18/Nov/2016:15:32:15 +0800] [1479454335.991] 200 10.0.0.2
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.3
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.4
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.5
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.6
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.7
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.007] 200 10.0.0.8
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.023] 200 10.0.0.9
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.023] 200 10.0.0.10
10.18.20.74 - [18/Nov/2016:15:32:16 +0800] [1479454336.023] 200 10.0.0.11

【Test5】Ip count:9 result:the previous key-states seems to be removed.
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.360] 200 10.0.0.2
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.360] 200 10.0.0.3
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.360] 200 10.0.0.4
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.360] 200 10.0.0.5
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.376] 200 10.0.0.6
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.376] 200 10.0.0.7
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.376] 200 10.0.0.8
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.376] 200 10.0.0.9
10.18.20.74 - [18/Nov/2016:15:32:39 +0800] [1479454359.407] 200 10.0.0.10

thank you for reading this report,looking forward to you reply.

sincerely!
fellowming@…

Change History (6)

comment:1 by antonyhong@…, 4 years ago

The OS is windows server 2008 R2 64bit

comment:2 by Maxim Dounin, 4 years ago

Component: nginx-moduledocumentation

The behaviour is as expected: when a memory allocation from a shared zone fails, nginx will remove the oldest state from the zone. The 503 error is returned only if this is not enough to free enough space to store the new state. This approach allows to still work (in most cases) and limit fastest clients even when the shared zone is exhausted.

In your tests IP addresses are used in order and there are no clients which are faster than others, so oldest is always removed, leading to no limits at all. While this may be a bit surprising, this is not a bug. Documentation might need some more details on how things work.

(What is the bug is that in your case each state requires 4k of memory, and only 10 states can be saved in 50k zone. It should be able to save much more states. This is a windows-specific bug to be fixed. Earlier attempts to do so can be found in the mailing list here.)

in reply to:  2 comment:3 by antonyhong@…, 4 years ago

Replying to mdounin:
Thank you for solving my doubts.The approach can be understood.
(BYW,When I do my tests on linux ,it can keep 320 states with the same config.)

comment:4 by Ruslan Ermilov <ru@…>, 3 years ago

In 2014:6e66487c5756/nginx_org:

Limit_req: document what happens on zone exhaustion (ticket #1133)

comment:5 by Ruslan Ermilov, 3 years ago

Resolution: fixed
Status: newclosed

in reply to:  2 comment:6 by Ruslan Ermilov, 3 years ago

Replying to mdounin:

(What is the bug is that in your case each state requires 4k of memory, and only 10 states can be saved in 50k zone. It should be able to save much more states. This is a windows-specific bug to be fixed. Earlier attempts to do so can be found in the mailing list here.)

This win32 specific bug has been fixed here.

Note: See TracTickets for help on using tickets.