set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin mdounin at mdounin.ru
Tue Feb 28 13:40:15 UTC 2017 

Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
> 
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
> 
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really.  There is no such requirement, that is, there is need 
to place limit_req_zone and set_real_ip_from on the same level or 
even in a particular order.

For example, the following configuration will work perfectly:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;
                
    server {
        listen 80;
                
        location / {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
        }
   }

A problem may happen though if you configured the realip module in 
a location context, but use the address in different contexts.  
For example, the following will limit requests based on the 
connection's address, not the one set with realip:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            try_files $uri @fallback;
        }

        location @fallback {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
            proxy_pass ...
        }
    }

In the above configuration, limit_req will work at the "location /" 
context, and the realip module in "location @fallback" won't be 
effective.  For more confusion, the $remote_addr variable will be 
cached once used by limit_req, and attempts to use it even in the 
location @fallback will return the original value, not changed by 
the realip module.

Summing up the above, it is certainly possible to use the realip 
module with limit_req regardless of levels.  They may interact 
unexpectedly in complex configurations though, and hence it is 
a good idea to avoid using set_real_ip_from / real_ip_header in 
location context unless you understand what you are doing.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list