#565 closed defect (invalid)
https + spdy + proxy_pass + limit_conn = 503 limiting connections (1.6.0)
Reported by: | pavel stano | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | |
Keywords: | spdy proxy_pass limit_conn | Cc: | |
uname -a: | Linux ass 3.14.4 #3 SMP Wed May 21 23:42:24 CEST 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.6.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-http_spdy_module --with-http_ssl_module |
Description
When i use reverse proxy feature with limit_conn over spdy i get problem with limit_conn, it reject requests.
I can reproduce it with 10 allowed connections to localhost when i proxy to some webpage with more objects like css/images.
Everything is ok when i disable spdy or use plain http.
Attachments (1)
Change History (4)
by , 10 years ago
Attachment: | nginx.conf added |
---|
comment:1 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
That's what actually is the SPDY about. It allows to a web browser to request lots of resources in parallel.
You're probably under the impression that the ngx_http_limit_conn
module limits number of connections to the server. No, it limits number of parallel requests. Unfortunately, the documentation currently doesn't reflect this.
comment:2 by , 10 years ago
Okey, i understand.
But with spdy enabled is limit_conn unusable.
For example we have on production servers limit 100 per ip (i think 100 is reasonable to not block any regular users, but just block simple DoS opening lots of connections).
And after some refresh from one ip we get blocked on https with spdy enabled.
Maybe if nginx count spdy tcp connections and not multiplexed connections in that tcp would be better.
comment:3 by , 10 years ago
It is a mistake to think that limit_conn
limits number of open TCP connections even with http. It works in location
context, when a request has been received and the location is determined.
You can easily open hundreds of connections with your config, just don't send requests in them. This module is designed to limit simultaneous access to some specific resource, not open connections to the server. The latter is a job for system firewall (like iptables).
example config