limit_req is not working with dynamically extracted user address

malish8632 nginx-forum at forum.nginx.org
Fri Mar 18 14:48:56 UTC 2016


Hi Maxim,
thank you for quick response.

> How did you found that limit_req uses a wrong element?

We don't know if this is limit_req - in reality we were just looking into
logs and I guess that's what confused us. We observed those IPs and rolled
back the changes as we assumed that all requests from CDN or DDOS Service
were blocked.

The only way to I guess to verify that our current schema works is to use
some arbitrary IP and see if our requests are blocked rather then CDN
service IP is blocked.

We've looked into http://nginx.org/en/docs/http/ngx_http_realip_module.html
and not sure if it is going to work.

As you saw one of the examples we have other services in front of us. 
There are 2 cases:
User -> DDOS Service -> Our NGINX                - X-Forwarded-For ex:
555.182.61.171, 333.101.98.188
User -> CDN -> DDOS Service -> Our NGINX   - X-Forwarded-For ex:
555.182.61.171, 444.1.3.56, 555.12.34.567, 333.101.98.188

Will realip module able to identify real IP of end user?
Should we set CIDR of both DDOS Service and CDN Service as real ip tables:

set_real_ip_from  192.168.1.0/24;
set_real_ip_from  192.168.2.1;
set_real_ip_from  2001:0db8::/32;

Thanks again.

Sergey

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,265461,265491#msg-265491



More information about the nginx mailing list