Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk nginx-forum at
Tue Sep 13 09:34:30 UTC 2016

> gariac Wrote:
> -------------------------------------------------------
> > ‎What about Roboo? It requires a cookie on the website before the
> > download takes place. (My usual warning this is my understanding of
> > how it works, but I have no first hand knowledge.) I presume the
> hot
> > linkers won't have the cookie.
> > 
> >

On top of my previous posted example bypass that with a proxy_set_header
Cookie "cookiename=cookievalue";

I don't know why anyone would use that if all it does it require a cookie to
download you could achieve it even more simple like this.

if ($http_cookie = "^$") { #If client has no cookies
return 444;

Or as a whitelist.

if ($cookie_cookiename != "cookievalue") {
return 444;

But a fake proxy stealing your traffic can bypass that with this
proxy_set_header Cookie "cookiename=cookievalue";

Posted at Nginx Forum:,269502,269508#msg-269508

More information about the nginx mailing list