id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1834	Rate limiting does not work after 3xx redirect	KyleN		"Rate limiting is ignoring completely if a 3xx redirect occurs. Creates a large problem for the limit_req module. As the module is effectively bypassed when endpoints are accessed in this fashion.

This issue is extremely easy to reproduce.

1. Setup your limit_req directives:

      limit_req_zone $binary_remote_addr zone=limit_one:10m rate=10r/m;
      limit_req zone=limit_one burst=20 nodelay;
      limit_req_status 429;

2. Access the limit from a server block which performs a 301 redirect, such as going from HTTP to HTTPS.

server {
    if ($host = www.test.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = test.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen  80;
    server_name test.com www.test.com;
    return 404; # managed by Certbot

}


3. You can hit the endpoint without any consequences.

"	defect	closed	critical		nginx-module	1.15.x	wontfix	rate limit		4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux	nginx version: nginx/1.15.8