Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

[B.R.]

On Wed, Sep 14, 2016 at 2:23 PM, c0nw0nk <nginx-forum at forum.nginx.org>
wrote:

> Yeah the reason it does not work behind CloudFlare is because the
> limit_conn
> and limit_req is blocking the CloudFlare server IP for making to many
> requests. So that is why i am reciving the DOS output "503 service
> unavailable"
>

​Misconfiguration.
​


> And I don't fancy building a whitelist of IP's since it would require
> manually updating allot. The cloudflare server IP's would need excluding
> from the $binary_remote_addr output.
>

​Void argument.
If you did your howework, you would have realized the list provided in the
example is taken from CloudFlare's published IP address, which are also
conveniently delivered as text format to ease the job of automatic
grabbing. You'll have to choose if you want to fully automate the
verification/update of those IP addresses​

​or if you want to introduce manual check/action in the process.​

Currently i am using my first method and it works great.
>

​It has been several times you have been stating that already. There is no
point in asking for help if you won't listen to the answers.
Glad with your resource-greedy unoptimized way?​

​Fine. End of transmission.
Others who are seeking for the best practices regarding combining
limit_req, limit_rate dans the realip module will find all the information
already available.

Best of luck in your proceedings,
---
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20160914/e0057c5f/attachment.html>