Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk nginx-forum at forum.nginx.org
Tue Sep 13 13:08:15 UTC 2016 

Reinis Rozitis Wrote:
-------------------------------------------------------
> > But that book says it is to reduce the memory footprint  ?
> 
> Correct, but that is for that specific varible.
> 
> You can't take $http_cf_connecting_ip  which is a HTTP header comming
> from 
> Cloudflare and prepend $binary_ just to "lower memory footprint".
> There is no such functionality.
> 
> 
> What you might do is still use $binary_remote_addr but in combination
> with 
> RealIP module (
> http://nginx.org/en/docs/http/ngx_http_realip_module.html ):
> 
> real_ip_header CF-Connecting-IP;
> 
> Detailed guide from Cloudflare:
> ( 
> https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-re
> store-original-visitor-IP-with-Nginx- 
>  )
> 
> 
> Theoretically it should work but to be sure you would need to test it
> or ask 
> a nginx dev for confirmation if the realip module takes precedence and
> 
> updates also the ip binary variable before the limit_req module.
> 
> rr 
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Thanks for the info :) For now I will just stick with what I know is
currently working either way I believe the stored key in memory won't be
compressed due to being behind cloudflare's reverse proxy as you said only
$binary_remote_addr is compressing their IP to reduce memory footprint.

Here is my config for anyone who wants to test or play around same as in
original email.

map $http_cf_connecting_ip $client_ip_from_cf {
default $http_cf_connecting_ip;
}

limit_req_zone $client_ip_from_cf zone=one:10m rate=30r/m;
limit_conn_zone $client_ip_from_cf zone=addr:10m;

location ~ \.mp4$ {
limit_conn addr 10; #Limit open connections from same ip
limit_req zone=one; #Limit max number of requests from same ip

mp4;
limit_rate_after 1m; #Limit download rate
limit_rate 1m; #Limit download rate
root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
expires max;
valid_referers none blocked networkflare.com *.networkflare.com;
if ($invalid_referer) {
return 403;
}
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269502,269521#msg-269521

More information about the nginx mailing list