Hello, nginx community.
I found a bug in limit_req requests accounting.
My config:
###
...
# cloudflare real_ip config
set_real_ip_from 173.245.48.0/20;
<other same records for cloudflare for v4 and v6, updated daily>
real_ip_header CF-Connecting-IP;
...
limit_req_zone $binary_remote_addr zone=global_static:10m rate=1000r/s;
limit_req_zone $binary_remote_addr zone=www:10m rate=50r/s;
...
server {
...
limit_req zone=www burst=50 nodelay;
limit_req_status 506;
...
location ~* ^/(sitemap.*\.xml)$ {
root $root_path_back;
try_files /sitemap/$1 =404;
access_log /var/log/nginx/global_static_debug.access.debug;
limit_req zone=global_static;
limit_req_status 506;
}
location = /robots.txt {
root $root_path_back;
try_files /robots_place.txt =404;
access_log /var/log/nginx/global_static_debug.access.debug;
limit_req zone=global_static;
limit_req_status 506;
}
...
}
###
Log records in error log are like:
2024/10/24 09:27:39 [error] 1609726#1609726: *25680584 limiting requests, excess: 1.000 by zone "global_static", client: <ipv4>, server: my.host.name, request: "GET /static/js/timeago.min.js?v=1729762058 HTTP/1.1", host: "my.host.name",
referrer: "https://my.host.name/admin/logs"
2024/10/24 09:27:59 [error] 1609726#1609726: *25680693 limiting requests, excess: 1.000 by zone "global_static", client: <ipv6>, server: my.host.name, request: "GET /errors/my_proj/img/logo-2.png HTTP/1.1", host:
"my.host.name", referrer: "https://my.host.name/admin/admin_settings"
In first 10 minutes after applying limits we caught few users (both ipv4 and v6 if its matter) under limit in zone "global_static" so, they should be hit more than 1000 req/s, but /var/log/nginx/global_static_debug.access.debug log contains only 30-40 records in total, and it's absolutely not a bug about logging, because we have too weak hardware to handle such load. And no one of those who get under global_static limit, didn't get under "www" limit.
All the limit records in error log with ipv6 has our staff adresses, and they surely doesn't generate any anomaly activity (checked with screen demonstration), just using admin ui...
There are few more locations with "global_static" zone in another server, but they also logging into the same debug access log.
There is absolutely no other uses of this zone in any server root nor variable-constructed uses
The limit of 1000r/s is a testing value, previously it was set to 100000, and the result was the same. We tried to reduce it to avoid any theoretical internal value limit.