[PATCH] Limit req, Limit conn: The "off" parameter of the 'limit_conn' and 'limit_req' directives

Pavel V. pavel2000 at ngs.ru
Mon Feb 8 04:13:48 UTC 2016

Hi, Maxim.

Thanks for reviewing my patch.

> See no reasons why limits from previous level should be merged if
> "off" is used on the current level.  It's just unneeded work, 
> which also add complexity in other places (like a need to check 
> off at runtime, and merge off values from previous levels).

> Better approach would be to don't inherit limits if "off" is set 
> on the current level.

Ok, this part will be reworked.

>> @@ -603,6 +610,13 @@
>>      value = cf->args->elts;
>> +    lccf->off = 0;
>> +
>> +    if (ngx_strcmp(value[1].data, "off") == 0 && cf->args->nelts == 2) {
>> +        lccf->off = 1;
>> +        return NGX_CONF_OK;
>> +    }
>> +
>>      shm_zone = ngx_shared_memory_add(cf, &value[1], 0,
>>                                       &ngx_http_limit_conn_module);
>>      if (shm_zone == NULL) {

> This variant of the code doesn't check "off" if additional 
> arguments are used.  Limit req's version however does (and 
> complains if number of arguments is incorrect).  Reasons for the 
> difference are not clear.

These directives has different syntax at the moment. Directive 'limit_conn'
currently allows exactly two arguments and someone can configure Nginx to use
zone 'off' by a line

   limit_conn off 42;

The 'limit_req' directive expects prefix 'zone=' and there is no way to use
keyword 'off' as a standalone argument.

So, the reason for the difference is backward compatibility with existing
configurations. Should we care about this or not?

> With this code something like "limit_conn foo" will try to access
> value[2] unconditionally, potentially resulting in segmentation 
> fault during configuration parsing.

I has not considered such variant. Thank you for catching this.

> This code silently allows "limit_conn off" to be used multiple 
> times, as well as with other limit_conn directives.  This leads to 
> a situation where:

>    limit_conn off;
>    limit_conn foo 10;

> will not use "limit_conn foo 10" configured without any 
> indication, which looks incorrect and confusing.  It should either 
> complain, or use limits configured.

I used http_log_module as a guide for such behaviour. It has directive
"access_log" with similar syntax "access_log off;" and it does not complains
when other directives specified with 'access_log off'. Why this should be
handled in the other way here?

 Pavel                          mailto:pavel2000 at ngs.ru

More information about the nginx-devel mailing list