Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#565 closed defect (invalid)

https + spdy + proxy_pass + limit_conn = 503 limiting connections (1.6.0)

Reported by: pavel stano Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: spdy proxy_pass limit_conn Cc:
uname -a: Linux ass 3.14.4 #3 SMP Wed May 21 23:42:24 CEST 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_spdy_module --with-http_ssl_module

Description

When i use reverse proxy feature with limit_conn over spdy i get problem with limit_conn, it reject requests.
I can reproduce it with 10 allowed connections to localhost when i proxy to some webpage with more objects like css/images.
Everything is ok when i disable spdy or use plain http.

Attachments (1)

nginx.conf (3.4 KB ) - added by pavel stano 6 years ago.
example config

Download all attachments as: .zip

Change History (4)

by pavel stano, 6 years ago

Attachment: nginx.conf added

example config

comment:1 by Valentin V. Bartenev, 6 years ago

Resolution: invalid
Status: newclosed

That's what actually is the SPDY about. It allows to a web browser to request lots of resources in parallel.

You're probably under the impression that the ngx_http_limit_conn module limits number of connections to the server. No, it limits number of parallel requests. Unfortunately, the documentation currently doesn't reflect this.

comment:2 by pavel stano, 6 years ago

Okey, i understand.
But with spdy enabled is limit_conn unusable.
For example we have on production servers limit 100 per ip (i think 100 is reasonable to not block any regular users, but just block simple DoS opening lots of connections).
And after some refresh from one ip we get blocked on https with spdy enabled.

Maybe if nginx count spdy tcp connections and not multiplexed connections in that tcp would be better.

comment:3 by Valentin V. Bartenev, 6 years ago

It is a mistake to think that limit_conn limits number of open TCP connections even with http. It works in location context, when a request has been received and the location is determined.

You can easily open hundreds of connections with your config, just don't send requests in them. This module is designed to limit simultaneous access to some specific resource, not open connections to the server. The latter is a job for system firewall (like iptables).

Note: See TracTickets for help on using tickets.