Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis r at
Tue Sep 13 12:24:14 UTC 2016

> But that book says it is to reduce the memory footprint  ?

Correct, but that is for that specific varible.

You can't take $http_cf_connecting_ip  which is a HTTP header comming from 
Cloudflare and prepend $binary_ just to "lower memory footprint".
There is no such functionality.

What you might do is still use $binary_remote_addr but in combination with 
RealIP module ( ):

real_ip_header CF-Connecting-IP;

Detailed guide from Cloudflare:

Theoretically it should work but to be sure you would need to test it or ask 
a nginx dev for confirmation if the realip module takes precedence and 
updates also the ip binary variable before the limit_req module.


More information about the nginx mailing list