Opened 10 months ago

Closed 10 months ago

#2583 closed defect (invalid)

possible bug in http/modules/ngx_http_limit_req_module.c

Reported by: wubook@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.24.x
Keywords: Cc:
uname -a: Linux lb2 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.24.0
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.24.0/debian/debuild-base/nginx-1.24.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

Hi,
using the limit_req_module i've found a possible bug.
the variable $limit_req_status is not filled, i guess because the same pointer, (variable) was used to set the http return code directive "limit_req_status code; as wrote in the documentation. unfortunately i'm not a good C devel so i can't provide a working patch.
This behavior are present both in the source code compiled and also in the official deb.

Change History (2)

comment:1 by wubook@…, 10 months ago

Hello,
sorry my fault, i was testing with a dummy location:

http {
limit_req_zone $server_name zone=prevent_abusers:10m rate=1r/m;
}

server{

location /echo/ {

access_log /var/log/nginx/echo.log debug;
error_log /var/log/nginx/echo_err.log ;
limit_req_log_level info;
limit_req zone=prevent_abusers burst=1 nodelay;
#limit_req_status 429;
limit_req_dry_run on;


add_header Content-Type text/plain;
add_header "X-ep" "$limit_req_status" always;
return 200 "found $limit_req_status";
#return 200 "nofound $limit_req_status";

}

}

and in this specific configuration the limit_req doesn't work.

My fault to lack the knowlege of limit module.

thanks

comment:2 by Maxim Dounin, 10 months ago

Resolution: invalid
Status: newclosed

Indeed, the rewrite module directives, including return, are executed when nginx is looking for a configuration to process a request, and therefore limit_req is never used in the configuration in question. Closing this.

Note: See TracTickets for help on using tickets.