limit_req is not working with dynamically extracted user address
Maxim Dounin
mdounin at mdounin.ru
Fri Mar 18 15:10:30 UTC 2016
Hello!
On Fri, Mar 18, 2016 at 10:48:56AM -0400, malish8632 wrote:
> > How did you found that limit_req uses a wrong element?
>
> We don't know if this is limit_req - in reality we were just looking into
> logs and I guess that's what confused us. We observed those IPs and rolled
> back the changes as we assumed that all requests from CDN or DDOS Service
> were blocked.
>
> The only way to I guess to verify that our current schema works is to use
> some arbitrary IP and see if our requests are blocked rather then CDN
> service IP is blocked.
Ok, so no problem here.
> We've looked into http://nginx.org/en/docs/http/ngx_http_realip_module.html
> and not sure if it is going to work.
>
> As you saw one of the examples we have other services in front of us.
> There are 2 cases:
> User -> DDOS Service -> Our NGINX - X-Forwarded-For ex:
> 555.182.61.171, 333.101.98.188
> User -> CDN -> DDOS Service -> Our NGINX - X-Forwarded-For ex:
> 555.182.61.171, 444.1.3.56, 555.12.34.567, 333.101.98.188
>
> Will realip module able to identify real IP of end user?
> Should we set CIDR of both DDOS Service and CDN Service as real ip tables:
>
> set_real_ip_from 192.168.1.0/24;
> set_real_ip_from 192.168.2.1;
> set_real_ip_from 2001:0db8::/32;
The realip module uses last non-trusted address from the header
(assuming real_ip_recursive is set). So you have to instruct it
to trust addresses of your DDoS mitigation service and CDN, e.g.:
set_real_ip_from <DDoS mitigation service IPs>;
set_real_ip_from <CDN IPs>;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list