Welcome! Log In Create A New Profile

Advanced

limit_req calculation bug, limiting too early

October 24, 2024 06:08AM
Hello, nginx community.

I found a bug in limit_req requests accounting.

My config:
###
...
# cloudflare real_ip config
set_real_ip_from 173.245.48.0/20;
<other same records for cloudflare for v4 and v6, updated daily>
real_ip_header CF-Connecting-IP;
...
limit_req_zone $binary_remote_addr zone=global_static:10m rate=1000r/s;
limit_req_zone $binary_remote_addr zone=www:10m rate=50r/s;
...

server {
...
limit_req zone=www burst=50 nodelay;
limit_req_status 506;
...

location ~* ^/(sitemap.*\.xml)$ {
root $root_path_back;
try_files /sitemap/$1 =404;

access_log /var/log/nginx/global_static_debug.access.debug;
limit_req zone=global_static;
limit_req_status 506;
}

location = /robots.txt {
root $root_path_back;
try_files /robots_place.txt =404;

access_log /var/log/nginx/global_static_debug.access.debug;
limit_req zone=global_static;
limit_req_status 506;
}
...
}
###

Log records in error log are like:
2024/10/24 09:27:39 [error] 1609726#1609726: *25680584 limiting requests, excess: 1.000 by zone "global_static", client: <ipv4>, server: my.host.name, request: "GET /static/js/timeago.min.js?v=1729762058 HTTP/1.1", host: "my.host.name",
referrer: "https://my.host.name/admin/logs"
2024/10/24 09:27:59 [error] 1609726#1609726: *25680693 limiting requests, excess: 1.000 by zone "global_static", client: <ipv6>, server: my.host.name, request: "GET /errors/my_proj/img/logo-2.png HTTP/1.1", host:
"my.host.name", referrer: "https://my.host.name/admin/admin_settings"

In first 10 minutes after applying limits we caught few users (both ipv4 and v6 if its matter) under limit in zone "global_static" so, they should be hit more than 1000 req/s, but /var/log/nginx/global_static_debug.access.debug log contains only 30-40 records in total, and it's absolutely not a bug about logging, because we have too weak hardware to handle such load. And no one of those who get under global_static limit, didn't get under "www" limit.

All the limit records in error log with ipv6 has our staff adresses, and they surely doesn't generate any anomaly activity (checked with screen demonstration), just using admin ui...

There are few more locations with "global_static" zone in another server, but they also logging into the same debug access log.
There is absolutely no other uses of this zone in any server root nor variable-constructed uses

The limit of 1000r/s is a testing value, previously it was set to 100000, and the result was the same. We tried to reduce it to avoid any theoretical internal value limit.
Subject Author Posted

limit_req calculation bug, limiting too early

krokwen October 24, 2024 06:08AM

Re: limit_req calculation bug, limiting too early

krokwen October 24, 2024 06:21AM

Re: limit_req calculation bug, limiting too early

krokwen October 24, 2024 09:18AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 159
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready