<div dir="ltr"><div>Hello, Maxim</div><div><br></div><div>I understand your explanation and thanks for reply.</div><div><br></div><div>I tried to replace $binary_remote_addr (not $remote_addr for performance reason) with True-Client-IP header which is Akamai CDN Server will send, via ngx_http_limit_req_module and use as a shared memory zone key. </div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<span class=""><br>
On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:<br>
<br>
> Hello,<br>
> I tried to limit an IPv4 Address with ngx_http_limit_req module and<br>
> ngx_realip_module via Akamai would send True-Client-IP headers.<br>
><br>
> According to the document ngx_http_readip_module(<br>
> <a href="http://nginx.org/en/docs/http/ngx_http_realip_module.html" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/<wbr>ngx_http_realip_module.html</a>),<br>
> we can write set_real_ip_from and real-_ip_header directive in http,<br>
> server, location context.<br>
><br>
> But, in the above case(ngx_http_limit_req module is defined the key in http<br>
> context), directives on ngx_http_realip_module must be defined before the<br>
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed<br>
> limit_req_zone directive in http context.<br>
<br>
</span>Not really. There is no such requirement, that is, there is need<br>
to place limit_req_zone and set_real_ip_from on the same level or<br>
even in a particular order.<br>
<br>
For example, the following configuration will work perfectly:<br>
<br>
limit_req_zone $remote_addr zone=limit:1m rate=1r/m;<br>
limit_req zone=limit;<br>
<br>
server {<br>
listen 80;<br>
<br>
location / {<br>
set_real_ip_from 127.0.0.1;<br>
real_ip_header X-Real-IP;<br>
}<br>
}<br>
<br>
A problem may happen though if you configured the realip module in<br>
a location context, but use the address in different contexts.<br>
For example, the following will limit requests based on the<br>
connection's address, not the one set with realip:<br>
<br>
limit_req_zone $remote_addr zone=limit:1m rate=1r/m;<br>
limit_req zone=limit;<br>
<br>
server {<br>
listen 80;<br>
<br>
location / {<br>
try_files $uri @fallback;<br>
}<br>
<br>
location @fallback {<br>
set_real_ip_from 127.0.0.1;<br>
real_ip_header X-Real-IP;<br>
proxy_pass ...<br>
}<br>
}<br>
<br>
In the above configuration, limit_req will work at the "location /"<br>
context, and the realip module in "location @fallback" won't be<br>
effective. For more confusion, the $remote_addr variable will be<br>
cached once used by limit_req, and attempts to use it even in the<br>
location @fallback will return the original value, not changed by<br>
the realip module.<br>
<br>
Summing up the above, it is certainly possible to use the realip<br>
module with limit_req regardless of levels. They may interact<br>
unexpectedly in complex configurations though, and hence it is<br>
a good idea to avoid using set_real_ip_from / real_ip_header in<br>
location context unless you understand what you are doing.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</font></span></blockquote></div><br></div>