#1834 closed defect (wontfix)

Rate limiting does not work after 3xx redirect

Reported by: KyleN Owned by:
Priority: critical Milestone:
Component: nginx-module Version: 1.15.x
Keywords: rate limit Cc:
uname -a: 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.15.8

Description

Rate limiting is ignoring completely if a 3xx redirect occurs. Creates a large problem for the limit_req module. As the module is effectively bypassed when endpoints are accessed in this fashion.

This issue is extremely easy to reproduce.

  1. Setup your limit_req directives:

limit_req_zone $binary_remote_addr zone=limit_one:10m rate=10r/m;
limit_req zone=limit_one burst=20 nodelay;
limit_req_status 429;

  1. Access the limit from a server block which performs a 301 redirect, such as going from HTTP to HTTPS.

server {

if ($host = www.test.com) {

return 301 https://$host$request_uri;

} # managed by Certbot

if ($host = test.com) {

return 301 https://$host$request_uri;

} # managed by Certbot

listen 80;
server_name test.com www.test.com;
return 404; # managed by Certbot

}

  1. You can hit the endpoint without any consequences.

Change History (1)

comment:1 by Maxim Dounin, 10 months ago

Resolution: wontfix
Status: newclosed

That's expected behaviour. That's because instructions of the rewrite module are executed while selecting configuration to use, and hence before any access checks or limits are applied.

Note: See TracTickets for help on using tickets.