Patch proposal: allow alternatives to 503 status code in limit_req module
Maxim Dounin
mdounin at mdounin.ru
Sat Mar 2 23:14:12 UTC 2013
Hello!
On Fri, Mar 01, 2013 at 09:23:08PM -0500, Nick Marden wrote:
> Hey there,
>
> I've been doing some work using limit_req to prevent overzealous clients
> from DOS'ing my site. Specifically, I wanted to use a different HTTP status
> code such as 420 or 429 so that it would be straightforward to show a "hey
> man, chill out" page rather than my generic 503 error page.
>
> Attached is a patch that enables this option for the limit_req directive.
> It still defaults to 503, but you can set it to any 4xx or 5xx value of
> your choosing by specifying
>
> limit_req zone=foo burst=10 status_code=420;
>
> for example.
I don't think this should be per-limit settings, for the following
reasons in no particular order:
- This makes things complicated in case of multiple limits used.
Current concept is to pass a request if it satisfies all limits
configured. If at least one limit reached - request is rejected
(and nothing else happens). With such aproach limit check order
isn't significant. Introducing per-limit status code will make
check order significant.
- There is no way to easily set default code server-wide.
I think it should be separate directive to set status, something
like
limit_req_status 429;
Additionally, there should be limit_conn counterpart,
limit_conn_status 429;
> I hope I've sent this to the right place. Please let me know where else to
> send it if I'm in the wrong place.
It's the right place.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list