limit_req per subnet?

Francis Daly francis at daoine.org
Sat Dec 31 10:36:51 UTC 2016


On Thu, Dec 29, 2016 at 08:09:33AM -0800, Grant wrote:

Hi there,

> >> I'm looking for something that can
> >> be implemented independently of the backend, but that doesn't seem to
> >> exist in nginx.
> >
> > http://nginx.org/r/limit_req_zone
> >
> > You can define the "key" any way that you want.
> >
> > Perhaps you can create something using "geo". Perhaps you want "the first
> > three bytes of $binary_remote_addr". Perhaps you want "the remote ipv4
> > address, rounded down to a multiple of 8". Perhaps you want something
> > else.
> 
> 
> So I'm sure I understand, none of the functionality described above
> exists currently?

A variable with exactly the value that you want it to have, probably
does not exist currently in the stock nginx code.

The code that allows you to create a variable with exactly the value
that you want it to have, probably does exist in the stock nginx code.

You can use "geo", "map", "set", or (probably) any of the extension
languages to give the variable the value that you want it to have.

For example:

  map $binary_remote_addr $bin_slash16 {
    "~^(?P<a>..)..$" "$a";
  }

will probably come close to making $bin_slash16 hold a binary
representation of the first two octets of the connecting ip address.

(You'll want to confirm whether "dot" matches "any byte" in your regex
engine; or whether you can make it match "any byte" (specifically
including the byte that normally represents newline); before you trust
that fully, of course.)

If you don't like map with regex, you can use "geo" with a (long) list
of networks, to set your new variable to whatever value you want.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list