limit_req is not working in virutal location?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

limit_req is not working in virutal location?

sonpg
Hi. Could you, please, explain why limit_req in @limitspeed location is not
working in case of redirect to @allowed virtual location and works in case I
copy @allowed virtual location contents inside @limitspeed?

================= This configuration is not limiting speed at all
========================
    location @allowed {
        root /store/;
        try_files /live$uri @localdvr;
    }

    location @limitspeed {
        limit_req zone=limit_req_rate;
        limit_rate 2500000;
        error_page 420 = @allowed;
        return 420;
    }

    location ~ ^/limit_speed_for_ts/.*\.ts {
        proxy_intercept_errors on;
        recursive_error_pages on;
        error_page 418 = @limitspeed;
        error_page 419 = @allowed;
        # we allow all requests with if there is token argument without
limiting speed
        if ($arg_token = "") {
            return 418;
        }
        return 419;
    }
============================================

But if I change @limitspeed it will work:

    location @limitspeed {
        limit_req zone=limit_req_rate;
        limit_rate 2500000;
        root /store/;
        try_files /live$uri @localdvr;
    }


Why?

Thanks in advance for any hints.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278101,278101#msg-278101

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_req is not working in virutal location?

Francis Daly
On Thu, Jan 11, 2018 at 03:32:07AM -0500, pva wrote:

Hi there,

I'm slightly guessing, so apologies if I mislead you and hopefully someone else
will correct this if necessary...

> Hi. Could you, please, explain why limit_req in @limitspeed location is not
> working in case of redirect to @allowed virtual location and works in case I
> copy @allowed virtual location contents inside @limitspeed?

I think that "return" happens before, and therefore effectively overrides
"limit_req".

You'll want your "limit_req" effective in a location where some real
work is done to create the response, in order for it to actually limit
the response rate.

(So either replace "return" with the content of the other location,
as you did; or add the limit_req into the other location.)

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_req is not working in virutal location?

sonpg
Francis, thank you for you answer.

> On Thu, Jan 11, 2018 at 03:32:07AM -0500, pva wrote:
> I'm slightly guessing, so apologies if I mislead you and hopefully
> someone else will correct this if necessary...
>
> > Hi. Could you, please, explain why limit_req in @limitspeed location
> > is not working in case of redirect to @allowed virtual location and
works
> > in case I copy @allowed virtual location contents inside @limitspeed?
>
> I think that "return" happens before, and therefore effectively
> overrides "limit_req".

This is my guess as well. But then I'm wondering if this limit will be
applied in case try_files redirects to @localdvr?

try_files /live$uri @localdvr;

--
Peter.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278101,278118#msg-278118

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_req is not working in virutal location?

Maxim Dounin
Hello!

On Thu, Jan 11, 2018 at 10:47:29AM -0500, pva wrote:

> Francis, thank you for you answer.
>
> > On Thu, Jan 11, 2018 at 03:32:07AM -0500, pva wrote:
> > I'm slightly guessing, so apologies if I mislead you and hopefully
> > someone else will correct this if necessary...
> >
> > > Hi. Could you, please, explain why limit_req in @limitspeed location
> > > is not working in case of redirect to @allowed virtual location and
> works
> > > in case I copy @allowed virtual location contents inside @limitspeed?
> >
> > I think that "return" happens before, and therefore effectively
> > overrides "limit_req".
>
> This is my guess as well. But then I'm wondering if this limit will be
> applied in case try_files redirects to @localdvr?
>
> try_files /live$uri @localdvr;

That's because try_files is not a mechanism to "conditionally select
configurations"[1] like the rewrite module directives (including
"return"), but rather a way to choose which file will be used for
request processing.  As such, try_files checks happen right before
actually returning the response, after various access checks and
limits.

[1] http://nginx.org/en/docs/http/ngx_http_rewrite_module.html

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_req is not working in virutal location?

sonpg
Hi, Maxim.

Maxim Dounin Wrote:
> That's because try_files is not a mechanism to "conditionally select
> configurations"[1] like the rewrite module directives (including
> "return"), but rather a way to choose which file will be used for
> request processing.  As such, try_files checks happen right before
> actually returning the response, after various access checks and
> limits.

I see, thank you. Do I understand correctly, that the following example in
documentation
https://nginx.ru/en/docs/http/ngx_http_core_module.html#try_files
is not strictly correct:

---------------------------------------------------------------------
 In the following example,

    location / {
        try_files $uri $uri/ @drupal;
    }

the try_files directive is equivalent to

    location / {
        error_page 404 = @drupal;
        log_not_found off;
    }
---------------------------------------------------------------------

These directives are not equivalent since limits are not applied in the
second case. Right?

--
Peter.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278101,278121#msg-278121

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: limit_req is not working in virutal location?

Maxim Dounin
Hello!

On Thu, Jan 11, 2018 at 12:22:56PM -0500, pva wrote:

> Hi, Maxim.
>
> Maxim Dounin Wrote:
> > That's because try_files is not a mechanism to "conditionally select
> > configurations"[1] like the rewrite module directives (including
> > "return"), but rather a way to choose which file will be used for
> > request processing.  As such, try_files checks happen right before
> > actually returning the response, after various access checks and
> > limits.
>
> I see, thank you. Do I understand correctly, that the following example in
> documentation
> https://nginx.ru/en/docs/http/ngx_http_core_module.html#try_files
> is not strictly correct:
>
> ---------------------------------------------------------------------
>  In the following example,
>
>     location / {
>         try_files $uri $uri/ @drupal;
>     }
>
> the try_files directive is equivalent to
>
>     location / {
>         error_page 404 = @drupal;
>         log_not_found off;
>     }
> ---------------------------------------------------------------------
>
> These directives are not equivalent since limits are not applied in the
> second case. Right?

No, there are actually more or less equivalent.  There a minor
differences - try_files version will do an extra syscall, while
error_page version will make further error processing harder as
recursive error pages are disabled by default.  But in both cases
all access checks and limits will be applied before testing or
opening the file.

You probably misunderstood how error_page version works.  It
actually tries to return the file requested, and all limits and
access checks happen before this.  If there is no file and so
open()ing it fails, the 404 Not Found error is generated.  Then
404 is handled according to error_page, and the request is
internally redirected to the @drupal location for further
processing.  See http://nginx.org/r/error_page for details.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx