nginx directives geo and map behind proxy
Francis Daly
francis at daoine.org
Thu Mar 14 18:33:37 UTC 2019
On Tue, Mar 12, 2019 at 06:22:30AM -0400, gogan wrote:
Hi there,
> We want to limit requests with limit_req_zone in gninx. Using it directly
> connected to the loadbalancer is fine. It works great, but connections
> coming from myracloud are not limited. Guess nginx is evaluating ip address
> before extracting real client ip from proxy. So, is there a way to solve the
> problem?
My testing suggests that the realip side sets $remote_addr correctly,
and that the geo side uses the correct $remote_addr.
Can you show config / example / logs of the problem that you are reporting?
If you repeat the test below, do you see something different?
==
http {
geo $geo {
default unknown;
127.0.0.1 one;
127.0.0.3 three;
127.0.0.10 ten;
}
server {
listen 8000;
set_real_ip_from 127.0.0.10;
real_ip_header CF-Connecting-IP;
location = /ip {
return 200 "\nCF-Connecting-IP: $http_cf_connecting_ip;\nremote: $remote_addr;\nreal: $realip_remote_addr;\ngeo $geo;\n";
}
}
}
==
# Send the header, and connect from a trusted address; remote and geo
are based on the address from the header:
$ curl -H CF-Connecting-IP:127.0.0.3 http://127.0.0.10:8000/ip
CF-Connecting-IP: 127.0.0.3;
remote: 127.0.0.3;
real: 127.0.0.10;
geo three;
# Send the header, but connect from an untrusted address; remote and
geo are based on the untrusted address:
$ curl -H CF-Connecting-IP:127.0.0.3 http://127.0.0.1:8000/ip
CF-Connecting-IP: 127.0.0.3;
remote: 127.0.0.1;
real: 127.0.0.1;
geo one;
Have I misunderstood what you are doing?
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list