limit_conn not working

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

limit_conn not working

Abilio Marques
limit_conn is not working for me. I set up a test in nodejs, I'm doing GET requests to http://localhost/, they are coming from different connections (different origin ports), and all the connections are still open until the very end, still, no response other than 200 is received. I double check  with wireshark.

What am I missing??

Minimal configuration I can reproduce it with: https://paste.ngx.cc/70
Source code for the test: https://paste.ngx.cc/6f

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Maxim Dounin
Hello!

On Tue, Dec 19, 2017 at 06:36:00AM +0100, Abilio Marques wrote:

> limit_conn is not working for me. I set up a test in nodejs, I'm doing GET
> requests to http://localhost/, they are coming from different connections
> (different origin ports), and all the connections are still open until the
> very end, still, no response other than 200 is received. I double check
> with wireshark.
>
> What am I missing??
>
> Minimal configuration I can reproduce it with: https://paste.ngx.cc/70
> Source code for the test: https://paste.ngx.cc/6f

The limit_conn limit only limits connections with active requests.  
Moreover, it only applies after reading request headers - as nginx
needs to know requested host and URI to check limits appropriate
for particular server and location blocks.

As a result, it is almost impossible to trigger limit_conn by
requests to small static files.  To trigger limit_conn, consider
testing it with files large enough to fill up socket buffers,
and/or with proxying.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Abilio Marques
Thanks,

I imagined to be something like that, but this is not obvious from the documentation. Is there a way to clarify it for future readers?

On Tue, Dec 19, 2017 at 3:26 PM, Maxim Dounin <[hidden email]> wrote:
Hello!

On Tue, Dec 19, 2017 at 06:36:00AM +0100, Abilio Marques wrote:

> limit_conn is not working for me. I set up a test in nodejs, I'm doing GET
> requests to http://localhost/, they are coming from different connections
> (different origin ports), and all the connections are still open until the
> very end, still, no response other than 200 is received. I double check
> with wireshark.
>
> What am I missing??
>
> Minimal configuration I can reproduce it with: https://paste.ngx.cc/70
> Source code for the test: https://paste.ngx.cc/6f

The limit_conn limit only limits connections with active requests.
Moreover, it only applies after reading request headers - as nginx
needs to know requested host and URI to check limits appropriate
for particular server and location blocks.

As a result, it is almost impossible to trigger limit_conn by
requests to small static files.  To trigger limit_conn, consider
testing it with files large enough to fill up socket buffers,
and/or with proxying.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Maxim Dounin
Hello!

On Tue, Dec 19, 2017 at 03:29:22PM +0100, Abilio Marques wrote:

> I imagined to be something like that, but this is not obvious from the
> documentation. Is there a way to clarify it for future readers?

The documentation already says
(http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html):

: Not all connections are counted. A connection is counted only if
: it has a request processed by the server and the whole request
: header has already been read.

in an attempt to clarify things.  This is more or less identical
to what I wrote.  The difference is recommendations on how to
better trigger the limit, but I doubt such recommendations should
be in the documentation.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Abilio Marques
For me the documentation reads in a way in which a connection with keep-alive that already received one request satisfies those two conditions:
- It has a request processed by the server. (processed is past tense, which is true after the first one was made)
- The whole request has already been read. 

While the actual behavior is: it has a request "being" processed by the server and the whole request header has already been read. Once the request is completely processed it doesn't count anymore.



On Tue, Dec 19, 2017 at 4:37 PM, Maxim Dounin <[hidden email]> wrote:
Hello!

On Tue, Dec 19, 2017 at 03:29:22PM +0100, Abilio Marques wrote:

> I imagined to be something like that, but this is not obvious from the
> documentation. Is there a way to clarify it for future readers?

The documentation already says
(http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html):

: Not all connections are counted. A connection is counted only if
: it has a request processed by the server and the whole request
: header has already been read.

in an attempt to clarify things.  This is more or less identical
to what I wrote.  The difference is recommendations on how to
better trigger the limit, but I doubt such recommendations should
be in the documentation.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: [IE] Re: limit_conn not working

Jason Whittington
In reply to this post by Abilio Marques

If you have a github account you can fork the nginx wiki troubleshooting and send them a pull request J

 

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/   Look for “Edit this page” in the rightmost column.

 

Jason

 

 

From: nginx [mailto:[hidden email]] On Behalf Of Abilio Marques
Sent: Tuesday, December 19, 2017 8:29 AM
To: [hidden email]
Subject: [IE] Re: limit_conn not working

 

Thanks,

 

I imagined to be something like that, but this is not obvious from the documentation. Is there a way to clarify it for future readers?

 

On Tue, Dec 19, 2017 at 3:26 PM, Maxim Dounin <[hidden email]> wrote:

Hello!


On Tue, Dec 19, 2017 at 06:36:00AM +0100, Abilio Marques wrote:

> limit_conn is not working for me. I set up a test in nodejs, I'm doing GET
> requests to http://localhost/, they are coming from different connections
> (different origin ports), and all the connections are still open until the
> very end, still, no response other than 200 is received. I double check
> with wireshark.
>
> What am I missing??
>
> Minimal configuration I can reproduce it with: https://paste.ngx.cc/70
> Source code for the test: https://paste.ngx.cc/6f

The limit_conn limit only limits connections with active requests.
Moreover, it only applies after reading request headers - as nginx
needs to know requested host and URI to check limits appropriate
for particular server and location blocks.

As a result, it is almost impossible to trigger limit_conn by
requests to small static files.  To trigger limit_conn, consider
testing it with files large enough to fill up socket buffers,
and/or with proxying.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

 

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail [hidden email]. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Maxim Dounin
In reply to this post by Abilio Marques
Hello!

On Tue, Dec 19, 2017 at 06:03:46PM +0100, Abilio Marques wrote:

> For me the documentation reads in a way in which a connection with
> keep-alive that already received one request satisfies those two conditions:
> - It has a request processed by the server. (processed is past tense, which
> is true after the first one was made)
> - The whole request has already been read.
>
> While the actual behavior is: it has a request "being" processed by the
> server and the whole request header has already been read. Once the request
> is completely processed it doesn't count anymore.

Yes, thanks, this needs fixing.  I'll take care of this.

(Funny enough, the correct tense was changed to an incorrect one
during a "text review", which was supposed to fix language errors,
http://hg.nginx.org/nginx.org/rev/95c3c3bbf1ce#l20.15.)

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_conn not working

Maxim Dounin
Hello!

On Tue, Dec 19, 2017 at 09:17:33PM +0300, Maxim Dounin wrote:

> On Tue, Dec 19, 2017 at 06:03:46PM +0100, Abilio Marques wrote:
>
> > For me the documentation reads in a way in which a connection with
> > keep-alive that already received one request satisfies those two conditions:
> > - It has a request processed by the server. (processed is past tense, which
> > is true after the first one was made)
> > - The whole request has already been read.
> >
> > While the actual behavior is: it has a request "being" processed by the
> > server and the whole request header has already been read. Once the request
> > is completely processed it doesn't count anymore.
>
> Yes, thanks, this needs fixing.  I'll take care of this.

Should be fixed now,
http://hg.nginx.org/nginx.org/rev/4931a7ba6a32.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx