limit_req is not working with dynamically extracted user address

Maxim Dounin mdounin at
Fri Mar 18 15:10:30 UTC 2016


On Fri, Mar 18, 2016 at 10:48:56AM -0400, malish8632 wrote:

> > How did you found that limit_req uses a wrong element?
> We don't know if this is limit_req - in reality we were just looking into
> logs and I guess that's what confused us. We observed those IPs and rolled
> back the changes as we assumed that all requests from CDN or DDOS Service
> were blocked.
> The only way to I guess to verify that our current schema works is to use
> some arbitrary IP and see if our requests are blocked rather then CDN
> service IP is blocked.

Ok, so no problem here.

> We've looked into
> and not sure if it is going to work.
> As you saw one of the examples we have other services in front of us. 
> There are 2 cases:
> User -> DDOS Service -> Our NGINX                - X-Forwarded-For ex:
> 555.182.61.171, 333.101.98.188
> User -> CDN -> DDOS Service -> Our NGINX   - X-Forwarded-For ex:
> 555.182.61.171, 444.1.3.56, 555.12.34.567, 333.101.98.188
> Will realip module able to identify real IP of end user?
> Should we set CIDR of both DDOS Service and CDN Service as real ip tables:
> set_real_ip_from;
> set_real_ip_from;
> set_real_ip_from  2001:0db8::/32;

The realip module uses last non-trusted address from the header 
(assuming real_ip_recursive is set).  So you have to instruct it 
to trust addresses of your DDoS mitigation service and CDN, e.g.:

set_real_ip_from  <DDoS mitigation service IPs>;
set_real_ip_from  <CDN IPs>;
real_ip_header    X-Forwarded-For;
real_ip_recursive on;

Maxim Dounin

More information about the nginx mailing list