limit_req applied to upstream auth_request requests?

jarstewa nginx-forum at
Tue Jul 17 21:23:44 UTC 2018

Maxim Dounin Wrote:
> Hello!
> ...
> Note well that this configuration implies that every request to 
> "/out/..." will generate a subrequest to "/auth".  As such, you 
> can safely move the "limit_req zone=auth ..." limit to "location 
> /out/", as results will be (mostly) identical.

The example I've posted is a simplified version of my actual configuration.
In reality I have several locations similar to /out/, each with a separate
throttle rate.

> Note well that auth subrequest is expected to return either 2xx, 
> or 401, or 403.  Anything else, including 429 you are trying to 
> configure in the provided snippet, will be considered an error, and 
> nginx will return 500 to the client.

Ok, good point.  So I should expect to receive a 500 from the client for a
request whose authentication subrequest was throttled (and thus returned
429).  But I don't actually see this happening.  The nginx log contains only
throttle events from the content throttle, and the client receives 200s
until the throttling 429s kick in.  

So, I think you seem to be suggesting that throttling /auth should not be
necessary, and may in fact be a bad idea.  But I would still like to
understand why it isn't working as I would expect.

Thanks again,

Posted at Nginx Forum:,280554,280559#msg-280559

More information about the nginx mailing list