Current Behavior
Description
We noticed an inconsistency in how the limit-conn plugin handles consumer-level limits compared to the limit-req plugin.
When configuring the limit-conn plugin directly on a Consumer object:
- Requests made by the same consumer to Route A and Route B do not share the same concurrency counter (cross-route leakage).
- Requests made across multiple APISIX instances (replica pods) do not share the counter because different instances can end up using slightly different configuration versions internally, generating different Redis keys (cross-pod leakage).
- Under the hood, the Redis/Valkey key is constructed using
ctx.conf_version and ctx.conf_type (in apisix/plugins/limit-conn/init.lua):
key = key .. ctx.conf_type .. ctx.conf_version
We recall that for limit-req, a similar issue was fixed in PR #13019 by using parent.resource_key to share the counter across routes and instances at the consumer level.
We would like to ask the community/maintainers:
- Is this behavior intended for
limit-conn, or is it an inconsistency/oversight that should be aligned with how limit-req works to support shared counters across routes and multiple gateway instances?
Expected Behavior
No response
Error Logs
No response
Steps to Reproduce
- Define a consumer with the
limit-conn plugin activated (concurrency limit conn: 1, policy redis / redis-cluster).
- Deploy APISIX with 2 replica pods.
- Scenario A (Cross-route): Make concurrent requests to
/route-a and /route-b using the same consumer credentials.
- Scenario B (Cross-pod): Make concurrent requests targeting different pods (Pod A and Pod B) for the same consumer credentials.
- Observation: Both requests succeed simultaneously. Checking Redis shows separate keys generated because the suffix (
ctx.conf_version / ctx.conf_type) differs between the routes/pods.
Environment
- APISIX version: >= 3.16.0 (including 3.17.0)
Current Behavior
Description
We noticed an inconsistency in how the
limit-connplugin handles consumer-level limits compared to thelimit-reqplugin.When configuring the
limit-connplugin directly on a Consumer object:ctx.conf_versionandctx.conf_type(inapisix/plugins/limit-conn/init.lua):We recall that for
limit-req, a similar issue was fixed in PR #13019 by usingparent.resource_keyto share the counter across routes and instances at the consumer level.We would like to ask the community/maintainers:
limit-conn, or is it an inconsistency/oversight that should be aligned with howlimit-reqworks to support shared counters across routes and multiple gateway instances?Expected Behavior
No response
Error Logs
No response
Steps to Reproduce
limit-connplugin activated (concurrency limitconn: 1, policyredis/redis-cluster)./route-aand/route-busing the same consumer credentials.ctx.conf_version/ctx.conf_type) differs between the routes/pods.Environment