id,summary,reporter,owner,description,type,status,priority,milestone,component,version,resolution,keywords,cc,uname,nginx_version 1834,Rate limiting does not work after 3xx redirect,KyleN,,"Rate limiting is ignoring completely if a 3xx redirect occurs. Creates a large problem for the limit_req module. As the module is effectively bypassed when endpoints are accessed in this fashion. This issue is extremely easy to reproduce. 1. Setup your limit_req directives: limit_req_zone $binary_remote_addr zone=limit_one:10m rate=10r/m; limit_req zone=limit_one burst=20 nodelay; limit_req_status 429; 2. Access the limit from a server block which performs a 301 redirect, such as going from HTTP to HTTPS. server { if ($host = www.test.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = test.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name test.com www.test.com; return 404; # managed by Certbot } 3. You can hit the endpoint without any consequences. ",defect,closed,critical,,nginx-module,1.15.x,wontfix,rate limit,,4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux,nginx version: nginx/1.15.8