limit_req applied to upstream auth_request requests?

[Maxim Dounin]

Hello!

On Tue, Jul 17, 2018 at 01:08:13PM -0400, jarstewa wrote:

> Hi,  I currently have an nginx configuration that uses the limit_req
> directive to throttle upstream content requests. Now I'm trying to add
> similar rate limiting for auth requests, but I haven't been able to get the
> auth throttle to kick in during testing (whereas the content throttle works
> as expected).  Is there some known limitation of using limit_req against
> auth_request requests, or do I simply have a problem in my configuration? 

The limit_req directive doesn't try to limit requests already 
limited, as well as subrequests within these requests.  You should 
configure all limits you want to apply to a request in one place.

>     location /out/ {
>       auth_request       /auth;

[...]

>       #Throttling works here <---
>       limit_req zone=content burst=50 nodelay;
>       limit_req_status 429;
>     }
> 
>     location /auth {
>       internal;

[...]

>       limit_req zone=auth burst=50 nodelay;
>       limit_req_status 429;
>     }

Note well that this configuration implies that every request to 
"/out/..." will generate a subrequest to "/auth".  As such, you 
can safely move the "limit_req zone=auth ..." limit to "location 
/out/", as results will be (mostly) identical.

Note well that auth subrequest is expected to return either 2xx, 
or 401, or 403.  Anything else, including 429 you are trying to 
configure in the provided snippet, will be considered an error, and 
nginx will return 500 to the client.

-- 
Maxim Dounin
http://mdounin.ru/