Opened 5 years ago
Closed 5 years ago
#1834 closed defect (wontfix)
Rate limiting does not work after 3xx redirect
| Reported by: | KyleN | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | nginx-module | Version: | 1.15.x |
| Keywords: | rate limit | Cc: | |
| uname -a: | 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: | nginx version: nginx/1.15.8 | ||
Description
Rate limiting is ignoring completely if a 3xx redirect occurs. Creates a large problem for the limit_req module. As the module is effectively bypassed when endpoints are accessed in this fashion.
This issue is extremely easy to reproduce.
- Setup your limit_req directives:
limit_req_zone $binary_remote_addr zone=limit_one:10m rate=10r/m;
limit_req zone=limit_one burst=20 nodelay;
limit_req_status 429;
- Access the limit from a server block which performs a 301 redirect, such as going from HTTP to HTTPS.
server {
if ($host = www.test.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = test.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name test.com www.test.com;
return 404; # managed by Certbot
}
- You can hit the endpoint without any consequences.
Note:
See TracTickets
for help on using tickets.
That's expected behaviour. That's because instructions of the rewrite module are executed while selecting configuration to use, and hence before any access checks or limits are applied.