Opened 4 weeks ago

Closed 3 weeks ago

#1834 closed defect (wontfix)

Rate limiting does not work after 3xx redirect

Reported by: kyl3n@… Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.15.x
Keywords: rate limit Cc:
uname -a: 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.8

Description

Rate limiting is ignoring completely if a 3xx redirect occurs. Creates a large problem for the limit_req module. As the module is effectively bypassed when endpoints are accessed in this fashion.

This issue is extremely easy to reproduce.

  1. Setup your limit_req directives:

limit_req_zone $binary_remote_addr zone=limit_one:10m rate=10r/m;
limit_req zone=limit_one burst=20 nodelay;
limit_req_status 429;

  1. Access the limit from a server block which performs a 301 redirect, such as going from HTTP to HTTPS.

server {

if ($host = www.test.com) {

return 301 https://$host$request_uri;

} # managed by Certbot

if ($host = test.com) {

return 301 https://$host$request_uri;

} # managed by Certbot

listen 80;
server_name test.com www.test.com;
return 404; # managed by Certbot

}

  1. You can hit the endpoint without any consequences.

Change History (1)

comment:1 Changed 3 weeks ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

That's expected behaviour. That's because instructions of the rewrite module are executed while selecting configuration to use, and hence before any access checks or limits are applied.

Note: See TracTickets for help on using tickets.