set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Wed Mar 1 00:56:38 UTC 2017

Hello, Maxim

I understand your explanation and thanks for reply.

I tried to replace $binary_remote_addr (not $remote_addr for performance
reason) with True-Client-IP header which is Akamai CDN Server will send,
via ngx_http_limit_req_module and use as a shared memory zone key.

On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:

> Hello!
>
> On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:
>
> > Hello,
> > I tried to limit an IPv4 Address with ngx_http_limit_req module and
> > ngx_realip_module via Akamai would send True-Client-IP headers.
> >
> > According to the document ngx_http_readip_module(
> > http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> > we can write set_real_ip_from and real-_ip_header directive in http,
> > server, location context.
> >
> > But, in the above case(ngx_http_limit_req module is defined the key in
> http
> > context), directives on ngx_http_realip_module must be defined before the
> > keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> > limit_req_zone directive in http context.
>
> Not really.  There is no such requirement, that is, there is need
> to place limit_req_zone and set_real_ip_from on the same level or
> even in a particular order.
>
> For example, the following configuration will work perfectly:
>
>     limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
>     limit_req zone=limit;
>
>     server {
>         listen 80;
>
>         location / {
>             set_real_ip_from 127.0.0.1;
>             real_ip_header X-Real-IP;
>         }
>    }
>
> A problem may happen though if you configured the realip module in
> a location context, but use the address in different contexts.
> For example, the following will limit requests based on the
> connection's address, not the one set with realip:
>
>     limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
>     limit_req zone=limit;
>
>     server {
>         listen 80;
>
>         location / {
>             try_files $uri @fallback;
>         }
>
>         location @fallback {
>             set_real_ip_from 127.0.0.1;
>             real_ip_header X-Real-IP;
>             proxy_pass ...
>         }
>     }
>
> In the above configuration, limit_req will work at the "location /"
> context, and the realip module in "location @fallback" won't be
> effective.  For more confusion, the $remote_addr variable will be
> cached once used by limit_req, and attempts to use it even in the
> location @fallback will return the original value, not changed by
> the realip module.
>
> Summing up the above, it is certainly possible to use the realip
> module with limit_req regardless of levels.  They may interact
> unexpectedly in complex configurations though, and hence it is
> a good idea to avoid using set_real_ip_from / real_ip_header in
> location context unless you understand what you are doing.
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170301/3eb93a5b/attachment-0001.html>