Patch proposal: allow alternatives to 503 status code in limit_req module

Maxim Dounin mdounin at mdounin.ru
Sat Mar 2 23:14:12 UTC 2013


Hello!

On Fri, Mar 01, 2013 at 09:23:08PM -0500, Nick Marden wrote:

> Hey there,
> 
> I've been doing some work using limit_req to prevent overzealous clients
> from DOS'ing my site. Specifically, I wanted to use a different HTTP status
> code such as 420 or 429 so that it would be straightforward to show a "hey
> man, chill out" page rather than my generic 503 error page.
> 
> Attached is a patch that enables this option for the limit_req directive.
> It still defaults to 503, but you can set it to any 4xx or 5xx value of
> your choosing by specifying
> 
> limit_req zone=foo burst=10 status_code=420;
> 
> for example.

I don't think this should be per-limit settings, for the following 
reasons in no particular order:

- This makes things complicated in case of multiple limits used.  
  Current concept is to pass a request if it satisfies all limits 
  configured.  If at least one limit reached - request is rejected 
  (and nothing else happens).  With such aproach limit check order 
  isn't significant.  Introducing per-limit status code will make 
  check order significant.

- There is no way to easily set default code server-wide.

I think it should be separate directive to set status, something 
like

    limit_req_status 429;

Additionally, there should be limit_conn counterpart,

    limit_conn_status 429;

> I hope I've sent this to the right place. Please let me know where else to
> send it if I'm in the wrong place.

It's the right place.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list