search

limithit / ngx_dynamic_limit_req_module

The ngx_dynamic_limit_req_module module is used to dynamically lock IP and release it periodically.
GNU General Public License v3.0
95 stars 24 forks source link

http 403 with nginx-quic 1.21.7 #15

Closed haohetao closed 2 years ago

haohetao commented 2 years ago

2022/04/28 02:44:41 [debug] 40#40: 3 recv: fd:3 0 of 1024 2022/04/28 02:44:41 [info] 40#40: 3 client 103.166.86.86 closed keepalive connection 2022/04/28 02:44:41 [debug] 40#40: 3 close http connection: 3 2022/04/28 02:44:41 [debug] 40#40: 3 event timer del: 3: 8938671 2022/04/28 02:44:41 [debug] 40#40: 3 reusable connection: 0 2022/04/28 02:44:41 [debug] 40#40: 3 free: 0000564237095130 2022/04/28 02:44:41 [debug] 40#40: 3 free: 0000564237088DB0, unused: 128 2022/04/28 02:44:41 [debug] 40#40: timer delta: 1 2022/04/28 02:44:41 [debug] 40#40: worker cycle 2022/04/28 02:44:41 [debug] 40#40: epoll timer: -1 2022/04/28 02:44:55 [debug] 38#38: epoll: fd:3 ev:0001 d:00005642370F2708 2022/04/28 02:44:55 [debug] 38#38: 2 http keepalive handler 2022/04/28 02:44:55 [debug] 38#38: 2 malloc: 0000564237095130:1024 2022/04/28 02:44:55 [debug] 38#38: 2 recv: eof:0, avail:-1 2022/04/28 02:44:55 [debug] 38#38: 2 recv: fd:3 426 of 1024 2022/04/28 02:44:55 [debug] 38#38: 2 reusable connection: 0 2022/04/28 02:44:55 [debug] 38#38: 2 posix_memalign: 0000564236FEB310:4096 @16 2022/04/28 02:44:55 [debug] 38#38: 2 event timer del: 3: 8910023 2022/04/28 02:44:55 [debug] 38#38: 2 http process request line 2022/04/28 02:44:55 [debug] 38#38: 2 http request line: "GET /index.html HTTP/1.1" 2022/04/28 02:44:55 [debug] 38#38: 2 http uri: "/index.html" 2022/04/28 02:44:55 [debug] 38#38: 2 http args: "" 2022/04/28 02:44:55 [debug] 38#38: 2 http exten: "html" 2022/04/28 02:44:55 [debug] 38#38: 2 posix_memalign: 00005642370A5C60:4096 @16 2022/04/28 02:44:55 [debug] 38#38: 2 http process request header line 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Host: 103.166.86.86" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Accept-Encoding: gzip, deflate" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Connection: keep-alive" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Upgrade-Insecure-Requests: 1" 2022/04/28 02:44:55 [debug] 38#38: 2 http header: "Cache-Control: max-age=0" 2022/04/28 02:44:55 [debug] 38#38: 2 http header done 2022/04/28 02:44:55 [debug] 38#38: 2 generic phase: 0 2022/04/28 02:44:55 [debug] 38#38: 2 generic phase: 1 2022/04/28 02:44:55 [debug] 38#38: 2 rewrite phase: 2 2022/04/28 02:44:55 [debug] 38#38: 2 using configuration "" 2022/04/28 02:44:55 [debug] 38#38: 2 http cl:-1 max:52428800 2022/04/28 02:44:55 [debug] 38#38: 2 rewrite phase: 4 2022/04/28 02:44:55 [debug] 38#38: 2 post rewrite phase: 5 2022/04/28 02:44:55 [debug] 38#38: 2 generic phase: 6 2022/04/28 02:44:55 [debug] 38#38: 2 http script var: "s: 2022/04/28 02:44:55 [debug] 38#38: shmtx lock 2022/04/28 02:44:55 [debug] 38#38: slab free: 00007F22D6928080 2022/04/28 02:44:55 [debug] 38#38: slab alloc: 84 slot: 4 2022/04/28 02:44:55 [debug] 38#38: slab alloc: 00007F22D6928080 2022/04/28 02:44:55 [debug] 38#38: shmtx unlock 2022/04/28 02:44:55 [debug] 38#38: 2 limit_req[0]: -2 0.000 103.166.86.86 2022/04/28 02:44:55 [debug] 38#38: 2 http script var: "s: 2022/04/28 02:44:55 [debug] 38#38: 2 http script copy: "-" 2022/04/28 02:44:55 [debug] 38#38: 2 http script var: "/index.html" 2022/04/28 02:44:55 [debug] 38#38: shmtx lock 2022/04/28 02:44:55 [debug] 38#38: slab free: 00007F22D3728080 2022/04/28 02:44:55 [debug] 38#38: slab alloc: 96 slot: 4 2022/04/28 02:44:55 [debug] 38#38: slab alloc: 00007F22D3728080 2022/04/28 02:44:55 [debug] 38#38: shmtx unlock 2022/04/28 02:44:55 [debug] 38#38: 2 limit_req[1]: -2 0.000 103.166.86.86 2022/04/28 02:44:55 [debug] 38#38: 2 http script var: "s: 2022/04/28 02:44:55 [debug] 38#38: 2 http script copy: "-" 2022/04/28 02:44:55 [debug] 38#38: 2 http script var: "/index.html" 2022/04/28 02:44:55 [debug] 38#38: shmtx lock 2022/04/28 02:44:55 [debug] 38#38: shmtx unlock 2022/04/28 02:44:55 [debug] 38#38: 2 limitreq[2]: 0 0.000 103.166.86.86 2022/04/28 02:44:55 [error] 38#38: *2 limiting requests, excess: 0.000 by zone "three-url" lock=115.55.22.188 length=13, client: 115.55.22.188, server: , request: "GET /index.html HTTP/1.1", host: "103.166.86.86" 2022/04/28 02:44:55 [error] 38#38: 2 limiting requests, excess: 0.000 by zone "three-url" lock=115.55.22.188 length=13, client: 115.55.22.188, server: _, request: "GET /index.html HTTP/1.1", host: "103.166.86.86" 2022/04/28 02:44:55 [error] 38#38: 2 limiting requests, excess: 0.000 by zone "three-url" lock=115.55.22.188 length=13, client: 115.55.22.188, server: _, request: "GET /index.html HTTP/1.1", host: "103.166.86.86" 2022/04/28 02:44:55 [debug] 38#38: 2 limit_lock]: by zone="three-url" ip=115.55.22.188 ip2=115.55.22.188 len=13 len2=13 2022/04/28 02:44:55 [debug] 38#38: shmtx lock 2022/04/28 02:44:55 [debug] 38#38: shmtx unlock 2022/04/28 02:44:55 [debug] 38#38: shmtx lock 2022/04/28 02:44:55 [debug] 38#38: shmtx unlock 2022/04/28 02:44:55 [debug] 38#38: 2 http finalize request: 403, "/index.html?" a:1, c:1 2022/04/28 02:44:55 [debug] 38#38: 2 http special response: 403, "/index.html?" 2022/04/28 02:44:55 [debug] 38#38: 2 http set discard body 2022/04/28 02:44:55 [debug] 38#38: *2 HTTP/1.1 403 Forbidden

limithit commented 2 years ago

nginx.conf Configuration file posted here

haohetao commented 2 years ago 
dynamic_limit_req_redis unix_socket;
dynamic_limit_req_zone $binary_remote_addr zone=one:50m rate=50r/s redis=/var/socks/redis-waf.sock block_second=60;
dynamic_limit_req_zone $binary_remote_addr-$request_uri zone=one-url:50m rate=5r/s redis=/var/socks/redis-waf.sock block_second=60;
dynamic_limit_req_zone $binary_remote_addr zone=three:50m rate=500r/m redis=/var/socks/redis-waf.sock block_second=3600;
dynamic_limit_req_zone $binary_remote_addr-$request_uri zone=three-url:50m rate=50r/m redis=/var/socks/redis-waf.sock block_second=3600;
#dynamic_limit_req zone=one burst=100 nodelay;
#dynamic_limit_req zone=one-url burst=10;
#dynamic_limit_req zone=three-url burst=60;
#dynamic_limit_req_status 403;

limit_req_zone '$binary_remote_addr-$request_uri' zone=ipurl:50m rate=3r/s;
limit_req_zone '$binary_remote_addr-$request_uri' zone=ipurlmin:50m rate=30r/m;
#limit_req_zone $binary_remote_addr zone=ipone:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=ipone2:200m;
#limit_conn ipone2 60;
#limit_req zone=ipurl burst=10;
#limit_req zone=ipurlmin burst=60;
#limit_req zone=ipone burst=60;
haohetao commented 2 years ago

nginx我是编译的quic版本

limithit commented 2 years ago
  1. 我测试,并未重现此问题,且也没有版本1.21.7

image

  1. 另外,你三个条件写在一起,只会有一个生效的,你可以在不同的server或者location 里写不同的条件判断,

image

  1. 还有这个变量,我看不明白是什么意思 $binary_remote_addr-$request_uri

image

limithit commented 2 years ago

image 你可以参考这样写,另外看看你的编译参数 image

haohetao commented 2 years ago

我确实还有一部分配置没贴出来,同样的配置以前是没问题了,我只是换了nginx版本。 https://hg.nginx.org/nginx-quic/shortlog/quic

limithit commented 2 years ago

我确实还有一部分配置没贴出来,同样的配置以前是没问题了,我只是换了nginx版本。 https://hg.nginx.org/nginx-quic/shortlog/quic

我看了下,这个版本目前为止一直在测试阶段,并没有合并到nginx主干上来,所以暂时也不考虑支持它

haohetao commented 2 years ago

按照nginx的计划应该下个版本就会合并了

limithit commented 2 years ago

按照nginx的计划应该下个版本就会合并了

image 我也测试了下quic-nginx,模块是正常工作的,并不需要做兼容性开发,(如果你触发了限流拦截,nginx会缓存在内存中,你在redis中删除记录后,再reload ,还是会再次拦截的,这种情况,你需要重启nginx,它会把内存中记录清除) 而不是reload

haohetao commented 2 years ago

既然nginx内存中已经保留数据了,那缓存到redis是不是就不必要了。

haohetao commented 2 years ago

我又试了一下好了,可能就是因为我之前只清redis没有重启nginx.