limit_req with IP whitelisting

Maxim Dounin mdounin at mdounin.ru
Wed Jul 6 21:27:07 MSD 2011


Hello!

On Wed, Jul 06, 2011 at 12:27:57PM -0400, LeMaitre wrote:

> Hi folks,
> 
> 1)
> I want to use limit_req with whitelisting some subnet, I have seen this
> post: http://forum.nginx.org/read.php?21,200815,200815#msg-200815 and
> done some test but it's not working.

And not expected to: it's only design idea.  It wasn't (yet?)
implemented.

> I have added to server context:
> 
> geo $rate {
>  default 5; # 5r/s
>  10.0.0.0/24 -;
>  192.168.0.0/24 -;
>  10.1.0.0 -;
> }
> 
> limit_req_zone $binary_remote_addr zone=ratezone:10m rate=$rate;
> limit_req zone=ratezone burst=10 nodelay;
> 
> And I receive as error: nginx: [emerg] invalid rate "rate=$rate"
> 
> Any idea how to fix this issue?

Right now you may try something like this:

    geo $nolimit {
        default 0;
        10.0.0.0/24 1;
        192.168.0.0/24 1;
    }

    limit_req_zone $binary_remote_addr zone=ratezone:10m rate=5r/s;

    server {
        ...

        location / {
            error_page 418 = @nolimit;

            if ($nolimit) {
                return 418;
            }

            limit_req zone=ratezone burst=10 nodelay;

            # ...
        }

        location @nolimit {
            # ... no limit_req here
        }
    }

This will process requests in "location /" by default with 
limit_req set, though users with ip addresses you specify will go 
to "location @nolimit" where there are no limit_req.

> 2) Is it possible to use limit_req for a single domaine "$host"?

Just define it in an appropriate server{} block.

Maxim Dounin



More information about the nginx mailing list