Whitelisting IP addresses for ratelimiting

Maxim Dounin mdounin at mdounin.ru
Wed Jul 25 13:45:55 UTC 2012


Hello!

On Wed, Jul 25, 2012 at 01:53:41PM +0100, James Fidell wrote:

> I have my configuration set up based on the information at
> http://gadelkareem.com/2012/03/25/limit-requests-per-ip-on-nginx-using-httplimitzonemodule-and-httplimitreqmodule-except-whitelist/
> as follows:
> 
> http {
> ...
>   geo $unlimited {
>     default 1;
>     192.168.45.56/32 0;
>   }
> ...
>   limit_req_zone  $binary_remote_addr  zone=unlimited:10m   rate=10r/m;
> ...
>   server {
>   ...
>     location / {
>       limit_req zone=unlimited burst=5;
>     }
>   }
> }
> 
> I believe this should mean that requests from IP address 192.168.45.56
> are not subject to the rate limiting, but it isn't working (they do get
> blocked by the rate limiting) and I can't see why.
> 
> Is my configuration obviously wrong somewhere?

Yes, it's obviously wrong, as well as blogpost you've followed.  
You don't use $unlimited variable anywhere in your config, and 
just use $binary_remote_addr for limiting without any exceptions.

To make an exception, you have to provide empty value for a 
variable in limit_req_zone (see http://nginx.org/r/limit_req_zone).

Correct config for exceptions based geo would be (involving 
intermediate map as geo doesn't allow variables in a resulting 
value):

    geo $limited {
        default           1;
        192.168.45.56/32  0;
    }

    map $limited $limit {
        1        $binary_remote_addr;
        0        "";
    }

    limit_req_zone $limit zone=foo:1m rate=10r/m;
    limit_req zone=foo burst=5;

As you can see from the above config, limit_req_zone now works 
based on a $limit variable, which is either client address, or an 
empty string.  In a latter case client isn't limited.

Maxim Dounin



More information about the nginx mailing list