<div dir="ltr"><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">You were just told the best way to get a meaningful $binary_remote_addr variable using CloudFlare, with the added bonus of a list of network ranges to use with set_real_ip_from to only filter out CloudFlare's IP addresses as sources to be repalced and avoid false positives.<br><br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">Using the $binary_remote_addr variable takes less space inside your fixed-sized zone, thus allowing to store more entries.<br></div><div class="gmail_default" style="font-size:small;color:rgb(51,51,153)">I suggest you carefully read on the impacts of filling-up the zone memory and why using as little data per client is highly advised in <a href="http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone">limit_req_zone</a> directive docs as you do not seem to know what you are doing...<br></div><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><font size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span style="color:rgb(102,102,102)">B. R.</span></b><span style="color:rgb(102,102,102)"></span></font></div></div>
<br><div class="gmail_quote">On Tue, Sep 13, 2016 at 3:08 PM, c0nw0nk <span dir="ltr"><<a href="mailto:nginx-forum@forum.nginx.org" target="_blank">nginx-forum@forum.nginx.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Reinis Rozitis Wrote:<br>
------------------------------<wbr>-------------------------<br>
<div><div class="h5">> > But that book says it is to reduce the memory footprint ?<br>
><br>
> Correct, but that is for that specific varible.<br>
><br>
> You can't take $http_cf_connecting_ip which is a HTTP header comming<br>
> from<br>
> Cloudflare and prepend $binary_ just to "lower memory footprint".<br>
> There is no such functionality.<br>
><br>
><br>
> What you might do is still use $binary_remote_addr but in combination<br>
> with<br>
> RealIP module (<br>
> <a href="http://nginx.org/en/docs/http/ngx_http_realip_module.html" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/<wbr>ngx_http_realip_module.html</a> ):<br>
><br>
> real_ip_header CF-Connecting-IP;<br>
><br>
> Detailed guide from Cloudflare:<br>
> (<br>
> <a href="https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-re" rel="noreferrer" target="_blank">https://support.cloudflare.<wbr>com/hc/en-us/articles/<wbr>200170706-How-do-I-re</a><br>
> store-original-visitor-IP-<wbr>with-Nginx-<br>
> )<br>
><br>
><br>
> Theoretically it should work but to be sure you would need to test it<br>
> or ask<br>
> a nginx dev for confirmation if the realip module takes precedence and<br>
><br>
> updates also the ip binary variable before the limit_req module.<br>
><br>
> rr<br>
><br>
> ______________________________<wbr>_________________<br>
> nginx mailing list<br>
> <a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
> <a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
<br>
<br>
</div></div>Thanks for the info :) For now I will just stick with what I know is<br>
currently working either way I believe the stored key in memory won't be<br>
compressed due to being behind cloudflare's reverse proxy as you said only<br>
$binary_remote_addr is compressing their IP to reduce memory footprint.<br>
<br>
Here is my config for anyone who wants to test or play around same as in<br>
original email.<br>
<br>
map $http_cf_connecting_ip $client_ip_from_cf {<br>
default $http_cf_connecting_ip;<br>
}<br>
<br>
limit_req_zone $client_ip_from_cf zone=one:10m rate=30r/m;<br>
limit_conn_zone $client_ip_from_cf zone=addr:10m;<br>
<span class=""><br>
location ~ \.mp4$ {<br>
limit_conn addr 10; #Limit open connections from same ip<br>
limit_req zone=one; #Limit max number of requests from same ip<br>
<br>
mp4;<br>
limit_rate_after 1m; #Limit download rate<br>
limit_rate 1m; #Limit download rate<br>
root '//<a href="http://172.168.0.1/StorageServ1/server/networkflare/public_www" rel="noreferrer" target="_blank">172.168.0.1/StorageServ1/<wbr>server/networkflare/public_www</a><wbr>';<br>
expires max;<br>
valid_referers none blocked <a href="http://networkflare.com" rel="noreferrer" target="_blank">networkflare.com</a> *.<a href="http://networkflare.com" rel="noreferrer" target="_blank">networkflare.com</a>;<br>
if ($invalid_referer) {<br>
return 403;<br>
}<br>
}<br>
<br>
</span>Posted at Nginx Forum: <a href="https://forum.nginx.org/read.php?2,269502,269521#msg-269521" rel="noreferrer" target="_blank">https://forum.nginx.org/read.<wbr>php?2,269502,269521#msg-269521</a><br>
<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br></div></div>