Execution order of HttpLimitReq, proxy_pass and rewrites

Hello,

I have tried to rate limit a resource using HttpLimitReq that is passed
on to a backend Apache server. Now when I try to limit this resource,
nothing is blocked and all requests go through. When using static
resources, the limit_req works as expected. Here is my config:

location /cgi-bin/test.pl {
limit_req zone=one nodelay burst=3;
}

location /cgi-bin/ {
proxy_pass http://default_backend/cgi-bin/;
}

I think this might be related to the execution order or these modules.
Which of the commands limit_req and proxy_pass is evaluated first? How
can I limit the access to resources in a backend server?

Thank you for your help!

Best regards,
Jonas Kaufmann

Posted at Nginx Forum:

On Wed, Mar 30, 2011 at 09:28:04AM -0400, j0nes2k wrote:

Hi there,

A general rule of nginx is that one request is handled by one location
block. Only the configuration in, or inherited by, that location
matters.

(An internal redirect counts as a new request, more or less.)

when I try to limit this resource,
nothing is blocked and all requests go through.

location /cgi-bin/test.pl {
limit_req zone=one nodelay burst=3;
}

There is a limit_req in this location.

location /cgi-bin/ {
proxy_pass http://default_backend/cgi-bin/;
}

There’s no limit_req in this location.

Does that (indirectly) answer your question?

f

Francis D. [email protected]

Hello Francis,

okay, I see. So nginx seems to (randomly?) choose one of the location
blocks - in my case it was the lower one using the proxy_pass directive.

However I have several scripts running under /cgi-bin that need
different limit_req settings - there are scripts that need to have a
strong limit and others do not need a limit at all. I have tried
something like

location /cgi-bin/ {
if ($request_filename ~ test.pl) {
limit_req zone=one nodelay burst=3;
}
proxy_pass http://default_backend/cgi-bin/;
}

…but unfortunately limit_req is not allowed in this context. Is there
another option how I could get limit_req to work for me?

Thanks!

Best regards,
Jonas Kaufmann

Posted at Nginx Forum:

On Wed, Mar 30, 2011 at 09:51:16AM -0400, j0nes2k wrote:

location /cgi-bin/ {
if ($request_filename ~ test.pl) {
limit_req zone=one nodelay burst=3;
}
proxy_pass http://default_backend/cgi-bin/;
}

…but unfortunately limit_req is not allowed in this context. Is there
another option how I could get limit_req to work for me?

location /cgi-bin/ {
proxy_pass http://default_backend;
}

location = /cgi-bin/test.pl {
limit_req zone=one nodelay burst=3;
proxy_pass http://default_backend;
}

–
Igor S.
http://sysoev.ru/en/

On Wed, Mar 30, 2011 at 09:51:16AM -0400, j0nes2k wrote:

Hi there,

okay, I see. So nginx seems to (randomly?) choose one of the location
blocks - in my case it was the lower one using the proxy_pass directive.

There shouldn’t be any randomness involved.

There’s a Fine Manual at http://wiki.nginx.org/HttpCoreModule#location

However I have several scripts running under /cgi-bin that need
different limit_req settings - there are scripts that need to have a
strong limit and others do not need a limit at all.

As Igor showed, use multiple location blocks.

I have tried something like

location /cgi-bin/ {
if ($request_filename ~ test.pl) {

Note that there’s also a special warning about if() inside location{}
at If is Evil… when used in location context | NGINX – anything other than “return” or
“rewrite … last” is likely to cause confusion.

…but unfortunately limit_req is not allowed in this context. Is there
another option how I could get limit_req to work for me?

If your scripts don’t use PATH_INFO, then something like

location = /script/one {
limit_req …;
proxy_pass …;
}

and if they do, then something like

location ^~ /script/two {} or location ^~ /script/two/ {}

with the same contents.

Good luck with it,

f

Francis D. [email protected]

Hello Igor and Francis,

amazing, thank you for your help! Everything works right now!

Best regards
Jonas Kaufmann

Posted at Nginx Forum: