limit_req is not working with dynamically extracted user address
mdounin at mdounin.ru
Fri Mar 18 15:10:30 UTC 2016
On Fri, Mar 18, 2016 at 10:48:56AM -0400, malish8632 wrote:
> > How did you found that limit_req uses a wrong element?
> We don't know if this is limit_req - in reality we were just looking into
> logs and I guess that's what confused us. We observed those IPs and rolled
> back the changes as we assumed that all requests from CDN or DDOS Service
> were blocked.
> The only way to I guess to verify that our current schema works is to use
> some arbitrary IP and see if our requests are blocked rather then CDN
> service IP is blocked.
Ok, so no problem here.
> We've looked into http://nginx.org/en/docs/http/ngx_http_realip_module.html
> and not sure if it is going to work.
> As you saw one of the examples we have other services in front of us.
> There are 2 cases:
> User -> DDOS Service -> Our NGINX - X-Forwarded-For ex:
> 5220.127.116.11, 318.104.22.168
> User -> CDN -> DDOS Service -> Our NGINX - X-Forwarded-For ex:
> 522.214.171.124, 4126.96.36.199, 5188.8.131.527, 3184.108.40.206
> Will realip module able to identify real IP of end user?
> Should we set CIDR of both DDOS Service and CDN Service as real ip tables:
> set_real_ip_from 192.168.1.0/24;
> set_real_ip_from 192.168.2.1;
> set_real_ip_from 2001:0db8::/32;
The realip module uses last non-trusted address from the header
(assuming real_ip_recursive is set). So you have to instruct it
to trust addresses of your DDoS mitigation service and CDN, e.g.:
set_real_ip_from <DDoS mitigation service IPs>;
set_real_ip_from <CDN IPs>;
More information about the nginx