Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk nginx-forum at
Wed Sep 14 12:23:27 UTC 2016

Yeah the reason it does not work behind CloudFlare is because the limit_conn
and limit_req is blocking the CloudFlare server IP for making to many
requests. So that is why i am reciving the DOS output "503 service

And I don't fancy building a whitelist of IP's since it would require
manually updating allot. The cloudflare server IP's would need excluding
from the $binary_remote_addr output.

Currently i am using my first method and it works great.

c0nw0nk Wrote:
> limit_req_zone $http_cf_connecting_ip zone=one:10m rate=30r/m;
> limit_conn_zone $http_cf_connecting_ip zone=addr:10m;
> location ~ \.mp4$ {
> limit_conn addr 10; #Limit open connections from same ip
> limit_req zone=one; #Limit max number of requests from same ip
> mp4;
> limit_rate_after 1m; #Limit download rate
> limit_rate 1m; #Limit download rate
> root '//';
> expires max;
> valid_referers none blocked *;
> if ($invalid_referer) {
> return   403;
> }
> }

Posted at Nginx Forum:,269502,269572#msg-269572

More information about the nginx mailing list