limit_req_zone limit by location/proxy

Justin Deltener jdeltener at realtruck.com
Wed Nov 13 03:24:57 UTC 2013 

For the life of me I can't seem to get my configuration correct to limit
requests. I'm running nginx 1.5.1 and have it serving up static content and
pushing all non-existent requests to the apache2 proxy backend for serving
up. I don't want to limit any requests to static content but do want to
limit requests to the proxy. It seems no matter what I put in my
configuration I continue to see entries in the error log for ip addresses
which are not breaking the rate limit.

2013/11/12 20:55:28 [warn] 10568#0: *1640292 delaying request, excess:
0.412, by zone "proxyzone" client ABCD

I've tried using a map in the top level like so

 limit_req_zone  $limit_proxy_hits  zone=proxyzone:10m   rate=4r/s;

 map $request_filename $limit_proxy_hits
 {
        default "";
       ~/$ $binary_remote_addr; (only limit filename requests ending in
slash as we may have something.php which should not be limited)
 }

yet when i look at the logs, ip ABCD has been delayed for a url ending in
slash BUT when i look at all proxy requests for the IP, it is clearly not
going over the limit. It really seems that no matter what, the
limit_req_zone still counts static content against the limit or something
else equally as confusing.

I've also attempted

limit_req_zone  $limit_proxy_hits  zone=proxyzone:10m   rate=4r/s;

and then use $limit_proxy_hits inside the server/location

server
{
    set $limit_proxy_hits "";

    location /
    {
        set $limit_proxy_hits $binary_remote_addr;
    }
}

and while the syntax doesn't bomb, it seems to exhibit the exact same
behavior as above as well.

ASSERT:

a) When i clearly drop 40 requests from an ip, it clearly lays the smack
down on a ton of requests as it should
b) I do a kill -HUP on the primary nginx process after each test
c) I keep getting warnings on requests from ip's which are clearly not
going over the proxy limit
d) I have read the leaky-bucket algorithm and unless i'm totally missing
something a max of 4r/s should always allow traffic until we start to go
OVER 4r/s which isn't the case.

The documentation doesn't have any real deep insight into how this works
and I could really use a helping hand. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20131112/f6641a24/attachment.html>

More information about the nginx mailing list