Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk nginx-forum at forum.nginx.org
Wed Sep 14 12:23:27 UTC 2016


Yeah the reason it does not work behind CloudFlare is because the limit_conn
and limit_req is blocking the CloudFlare server IP for making to many
requests. So that is why i am reciving the DOS output "503 service
unavailable"

And I don't fancy building a whitelist of IP's since it would require
manually updating allot. The cloudflare server IP's would need excluding
from the $binary_remote_addr output.


Currently i am using my first method and it works great.

c0nw0nk Wrote:
-------------------------------------------------------
> limit_req_zone $http_cf_connecting_ip zone=one:10m rate=30r/m;
> limit_conn_zone $http_cf_connecting_ip zone=addr:10m;
> 
> location ~ \.mp4$ {
> limit_conn addr 10; #Limit open connections from same ip
> limit_req zone=one; #Limit max number of requests from same ip
> 
> mp4;
> limit_rate_after 1m; #Limit download rate
> limit_rate 1m; #Limit download rate
> root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
> expires max;
> valid_referers none blocked networkflare.com *.networkflare.com;
> if ($invalid_referer) {
> return   403;
> }
> }

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269502,269572#msg-269572



More information about the nginx mailing list