limit_zone and custom variable

[Denis Filimonov]

On Thursday 11 February 2010 14:50:59 Sergej Kurakin wrote:
> Hi,
> 
> I have a question about limit_zone and custom variable. I'm analysing
> situation with strange 503 errors messages for users that do first
> request to server with NGINX 0.6.x As I see from NGINX source error
> 503 showed in only one situation - when client reaches connection
> limits.
> 
> In NGINX configuration file in http section limit_zone with custom
> variable defined in next way:
> 
> http {
> ...
> limit_zone ten $my_remote_addr 1m;
> ...
> [servres section]
> }
> 
> and $my_remote_addr is not defined anywhere in http section.
> 
> In server section $my_remote_addr defined for any user in one way,
> except for some IP range (some proxy servers) - you can see it above:
> 
> server {
> ...
> set $my_remote_addr $binary_remote_addr;
> 
> if ($remote_addr ~ "^(XXX\.XXX\.XXX|YYY\.YYY\.YYY)\.") {
>     set $my_remote_addr $binary_remote_addr$remote_port;
> }
> 
> limit_conn ten 11;
> ...
> }
> 
> Will this configuration impact NGINX's limit functionality in non-
> predictable behaviour? I can't understand how limits work with this
> settings from source code :-( Maybe someone know answer for that
> question?
> 
> Should we change it and before setting "limit_zone ten $my_remote_addr
> 1m;" use "set $my_remote_addr $binary_remote_addr$remote_port;" for
> any IP?
> 

The way limit_conn works is as follows:
Values of the variable associated with the limit_zone ($my_remote_addr in this 
case) are mapped to the number of concurrent connections. Whenever the number 
exceeds the limit, a 503 error is issued.

Using the combination of the remote address and port ensures that the values 
are unique, thus effectively excluding IPs matching "^(XXX\.XXX\.XXX|
YYY\.YYY\.YYY)\." from the limitation.
Doing so for every IP wouldn't make sense as the same effect can be achieved 
by removing limit_conn statement altogether.

Denis.