Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk nginx-forum at
Tue Sep 13 13:08:15 UTC 2016

Reinis Rozitis Wrote:
> > But that book says it is to reduce the memory footprint  ?
> Correct, but that is for that specific varible.
> You can't take $http_cf_connecting_ip  which is a HTTP header comming
> from 
> Cloudflare and prepend $binary_ just to "lower memory footprint".
> There is no such functionality.
> What you might do is still use $binary_remote_addr but in combination
> with 
> RealIP module (
> ):
> real_ip_header CF-Connecting-IP;
> Detailed guide from Cloudflare:
> ( 
> store-original-visitor-IP-with-Nginx- 
>  )
> Theoretically it should work but to be sure you would need to test it
> or ask 
> a nginx dev for confirmation if the realip module takes precedence and
> updates also the ip binary variable before the limit_req module.
> rr 
> _______________________________________________
> nginx mailing list
> nginx at

Thanks for the info :) For now I will just stick with what I know is
currently working either way I believe the stored key in memory won't be
compressed due to being behind cloudflare's reverse proxy as you said only
$binary_remote_addr is compressing their IP to reduce memory footprint.

Here is my config for anyone who wants to test or play around same as in
original email.

map $http_cf_connecting_ip $client_ip_from_cf {
default $http_cf_connecting_ip;

limit_req_zone $client_ip_from_cf zone=one:10m rate=30r/m;
limit_conn_zone $client_ip_from_cf zone=addr:10m;

location ~ \.mp4$ {
limit_conn addr 10; #Limit open connections from same ip
limit_req zone=one; #Limit max number of requests from same ip

limit_rate_after 1m; #Limit download rate
limit_rate 1m; #Limit download rate
root '//';
expires max;
valid_referers none blocked *;
if ($invalid_referer) {
return 403;

Posted at Nginx Forum:,269502,269521#msg-269521

More information about the nginx mailing list