Whitelisting IP addresses for ratelimiting
Maxim Dounin
mdounin at mdounin.ru
Wed Jul 25 13:45:55 UTC 2012
Hello!
On Wed, Jul 25, 2012 at 01:53:41PM +0100, James Fidell wrote:
> I have my configuration set up based on the information at
> http://gadelkareem.com/2012/03/25/limit-requests-per-ip-on-nginx-using-httplimitzonemodule-and-httplimitreqmodule-except-whitelist/
> as follows:
>
> http {
> ...
> geo $unlimited {
> default 1;
> 192.168.45.56/32 0;
> }
> ...
> limit_req_zone $binary_remote_addr zone=unlimited:10m rate=10r/m;
> ...
> server {
> ...
> location / {
> limit_req zone=unlimited burst=5;
> }
> }
> }
>
> I believe this should mean that requests from IP address 192.168.45.56
> are not subject to the rate limiting, but it isn't working (they do get
> blocked by the rate limiting) and I can't see why.
>
> Is my configuration obviously wrong somewhere?
Yes, it's obviously wrong, as well as blogpost you've followed.
You don't use $unlimited variable anywhere in your config, and
just use $binary_remote_addr for limiting without any exceptions.
To make an exception, you have to provide empty value for a
variable in limit_req_zone (see http://nginx.org/r/limit_req_zone).
Correct config for exceptions based geo would be (involving
intermediate map as geo doesn't allow variables in a resulting
value):
geo $limited {
default 1;
192.168.45.56/32 0;
}
map $limited $limit {
1 $binary_remote_addr;
0 "";
}
limit_req_zone $limit zone=foo:1m rate=10r/m;
limit_req zone=foo burst=5;
As you can see from the above config, limit_req_zone now works
based on a $limit variable, which is either client address, or an
empty string. In a latter case client isn't limited.
Maxim Dounin
More information about the nginx
mailing list