Opened 10 years ago

Closed 10 years ago

#76 closed defect (fixed)

HttpLimitReq not working

Reported by: sam Owned by: somebody
Priority: minor Milestone:
Component: nginx-module Version: 1.1.x
Keywords: HttpLimitReqModule Cc:
uname -a: Linux hw2.dob.sk 3.0.4-gentoo #2 SMP Fri Sep 16 15:02:59 CEST 2011 x86_64 Intel(R) Core(TM)2 Quad CPU Q9450 @ 2.66GHz GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.1.12
TLS SNI support enabled
configure arguments: --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-cc-opt=-I/usr/include --with-ld-opt=-L/usr/lib --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/var/tmp/nginx/client --http-proxy-temp-path=/var/tmp/nginx/proxy --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi --http-scgi-temp-path=/var/tmp/nginx/scgi --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi --with-ipv6 --with-pcre --with-pcre-jit --without-http_referer_module --without-http_split_clients_module --with-http_addition_module --with-http_dav_module --with-http_degradation_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-http_realip_module --add-module=/var/tmp/portage/www-servers/nginx-1.1.12-r1/work/agentzh-headers-more-nginx-module-137855d --add-module=/var/tmp/portage/www-servers/nginx-1.1.12-r1/work/ngx_slowfs_cache-1.6 --with-http_ssl_module --with-mail --with-mail_ssl_module

Description

After upgrading from nginx 1.1.8 to 1.1.12, limit req module started to reject requests that has been previously accepted. Firstly I discovered this problem on wordpress admin page that makes really many sub-request, but other pages making only few requests seem to be affected.

config:
limit_req_zone $binary_remote_addr zone=lim1:10m rate=2r/s;
limit_req zone=lim1 burst=10;

error_log:
2012/01/02 22:15:29 [error] 16072#0: *7 limiting requests, excess: 0.571 by zone "lim1", client: 85.237.224.37, server: xxx, request: "GET /wp-content/plugins/akismet/akismet.js?ver=3.3 HTTP/1.1"
2012/01/02 22:15:30 [error] 16072#0: *8 limiting requests, excess: 0.994 by zone "lim1", client: 85.237.224.37, server: xxx, request: "GET /wp-includes/images/rss.png HTTP/1.1"
2012/01/02 22:15:30 [error] 16074#0: *5 limiting requests, excess: 0.993 by zone "lim1", client: 85.237.224.37, server: xxx, request: "GET /wp-content/plugins/wordpress-seo/images/yoast-logo-rss.png HTTP/1.1"
2012/01/02 22:15:30 [error] 16072#0: *9 limiting requests, excess: 0.994 by zone "lim1", client: 85.237.224.37, server: xxx, request: "GET /wp-includes/images/wpmini-blue.png HTTP/1.1"
2012/01/02 22:15:30 [error] 16074#0: *6 limiting requests, excess: 0.993 by zone "lim1", client: 85.237.224.37, server: xxx, request: "GET /wp-content/plugins/wordpress-seo/images/email_sub.png HTTP/1.1"

Other configurations with higher limits give same results.
Workarounded by disabling all limits...

Change History (3)

comment:1 by Maxim Dounin, 10 years ago

Status: newaccepted

Thank you for report, the limit_req_log_level inheritance fix in 1.1.12 broke burst/nodelay parameter inheritance. The following patch should fix it:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1325547539 -14400
# Node ID af2eb6bbc5c0b58826be3c2730af1549d27880da
# Parent  e1296af53cc049396fb9b8771cba430d4dc00fe4
Fixed limit_req burst/nodelay inheritance (broken in 1.1.12).

diff --git a/src/http/modules/ngx_http_limit_req_module.c b/src/http/modules/ngx_http_limit_req_module.c
--- a/src/http/modules/ngx_http_limit_req_module.c
+++ b/src/http/modules/ngx_http_limit_req_module.c
@@ -570,6 +570,8 @@ ngx_http_limit_req_merge_conf(ngx_conf_t
 
     if (conf->shm_zone == NULL) {
         conf->shm_zone = prev->shm_zone;
+        conf->burst = prev->burst;
+        conf->nodelay = prev->nodelay;
     }
 
     ngx_conf_merge_uint_value(conf->limit_log_level, prev->limit_log_level,

Workaround would be to explicitly define limit_req in all locations which need protection.

comment:2 by Maxim Dounin, 10 years ago

In [4400/nginx]:

(The changeset message doesn't reference this ticket)

comment:3 by Maxim Dounin, 10 years ago

Resolution: fixed
Status: acceptedclosed

Fixed in 1.1.13.

Note: See TracTickets for help on using tickets.