HttpLimitReqModule: Support for IPSet

Steffen Weber steffen.weber at gmail.com
Sat Jul 9 14:13:57 MSD 2011


I have a proposal for the HttpLimitReqModule: If an IP address exceeds
a certain rate then nginx automatically adds it to an ip-set (i.e.
execute "ipset add ...").

You can then configure iptables to automatically ban all IP addresses
that are in this ip-set. IMO this rate should be different from
(higher than) the one already used by the HttpLimitReqModule to delay
requests.

The advantage compared to automatically adding an ip address to such a
set with only iptables is the following: nginx can differentiate
between static and dynamic (i.e. PHP) requests. Usually I do not care
about static requests at all, but many requests to certain dynamic
scripts can cause a very high load.

IPSet has been integrated into Linux 2.9.39 and is available for older
Linux versions as a patch. You can read more about IPSet here:
hhttp://ipset.netfilter.org/

Kind regards
Steffen Weber



More information about the nginx mailing list