https + spdy + proxy_pass + limit_conn = 503 limiting connections (1.6.0)

[pavel stano]

When i use reverse proxy feature with limit_conn over spdy i get problem with limit_conn, it reject requests.
I can reproduce it with 10 allowed connections to localhost when i proxy to some webpage with more objects like css/images.
Everything is ok when i disable spdy or use plain http.

[pavel stano]

example config

[Valentin V. Bartenev]

That's what actually is the SPDY about. It allows to a web browser to request lots of resources in parallel.

You're probably under the impression that the ngx_http_limit_conn module limits number of connections to the server. No, it limits number of parallel requests. Unfortunately, the documentation currently doesn't reflect this.

[pavel stano]

Okey, i understand.
But with spdy enabled is limit_conn unusable.
For example we have on production servers limit 100 per ip (i think 100 is reasonable to not block any regular users, but just block simple DoS opening lots of connections).
And after some refresh from one ip we get blocked on https with spdy enabled.

Maybe if nginx count spdy tcp connections and not multiplexed connections in that tcp would be better.

[Valentin V. Bartenev]

It is a mistake to think that limit_conn limits number of open TCP connections even with http. It works in location context, when a request has been received and the location is determined.

You can easily open hundreds of connections with your config, just don't send requests in them. This module is designed to limit simultaneous access to some specific resource, not open connections to the server. The latter is a job for system firewall (like iptables).