Exclude ip's from Nginx limit_req zone

B.R. reallfqq-nginx at yahoo.fr
Sun Dec 21 16:23:33 UTC 2014

I am highly suspicious about the content found at the address pointed by
the link provided by mex.
Unless I am mistaken, the variable filled by the geo module is not used
anywhere else... thus I guess the limiting works OK, but the 'white-list'
feature probably does not work, as it was expected/advertised.
TL;DR: it probably does not work.


Francis gave you an answer which is working. I will try to explain it with
other words, hoping you will understand what to do.

The limit_* modules (req and conn) filter requests based on a variable,
which content is used as a key. If you use $binary_remote_addr there, nginx
will keep counters per (non empty) each value of the key and limit each of
them. In that case, each unique non-empty value is the binary IP address of
a client.

Now, you want to exclude clients from that list, so you cannot use it
directly. The trick you can use to exclude requests from being limited by
the limit_* module is ensuring that requests that should be unlimited
provide an empty value for the variable used by these modules.
Since you base your limit_* behavior on IP addresses, you thus need to set
an "empty" IP address for whitelisted addresses, so they are unlimited.

How to get that filtered list? nginx's map module allows you to fill a
variable depending on the value of another, used as a key.
That idea there is that if your key says "should not limit" (or, say, 0),
the new variable should be empty, while in all other cases the new variable
should contain $binary_remote_addr.
That gives you the last map Francis provided:
map $should_limit $filter {
    default $binary_remote_addr;
    0 "";
You wanna use the $filter variable on your limiter.

Now, for each request, you want to fill up this $should_limit variable with
0 for unlimited requests and anything else (say, 1) to limit them.
That is where the geo module kicks in, where you set the default value of
the variable it is working on with 1, and put rules matching the
white-listed IP addresses associated with the value 0.

Read the answer from Francis in the light of this attempt at explaining it
The goal of the first part of his message was to explain why this 2-steps
process is mandatory, due to limitations in the inner workings of the geo

Hoping to have cleared things a little...
*B. R.*

On Sun, Dec 21, 2014 at 4:11 PM, ASTRAPI <nginx-forum at nginx.us> wrote:

> Thanks for your replies but i am confused now :(
> Can anyone please try to post:
> What i must add to main nginx config at:
> http {      ?
> and what to add to the nginx domain config file at:
> server {    ?
> Target is to have connections limit per ip 20 and requests limits per ip to
> 40 and requests burst up to 80  !
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,255697,255710#msg-255710
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20141221/520b9a36/attachment-0001.html>

More information about the nginx mailing list