nginx directives geo and map behind proxy

Francis Daly francis at daoine.org
Thu Mar 14 18:33:37 UTC 2019


On Tue, Mar 12, 2019 at 06:22:30AM -0400, gogan wrote:

Hi there,

> We want to limit requests with limit_req_zone in gninx. Using it directly
> connected to the loadbalancer is fine. It works great, but connections
> coming from myracloud are not limited. Guess nginx is evaluating ip address
> before extracting real client ip from proxy. So, is there a way to solve the
> problem?

My testing suggests that the realip side sets $remote_addr correctly,
and that the geo side uses the correct $remote_addr.

Can you show config / example / logs of the problem that you are reporting?

If you repeat the test below, do you see something different?

==
http {
  geo $geo {
    default unknown;
    127.0.0.1 one;
    127.0.0.3 three;
    127.0.0.10 ten;
  }
  server {
    listen 8000;
    set_real_ip_from 127.0.0.10;
    real_ip_header CF-Connecting-IP;

    location = /ip {
      return 200 "\nCF-Connecting-IP: $http_cf_connecting_ip;\nremote: $remote_addr;\nreal: $realip_remote_addr;\ngeo $geo;\n";
    }

  }
}
==


# Send the header, and connect from a trusted address; remote and geo
are based on the address from the header:
$ curl -H CF-Connecting-IP:127.0.0.3 http://127.0.0.10:8000/ip

CF-Connecting-IP: 127.0.0.3;
remote: 127.0.0.3;
real: 127.0.0.10;
geo three;


# Send the header, but connect from an untrusted address; remote and
geo are based on the untrusted address:
$ curl -H CF-Connecting-IP:127.0.0.3 http://127.0.0.1:8000/ip

CF-Connecting-IP: 127.0.0.3;
remote: 127.0.0.1;
real: 127.0.0.1;
geo one;

Have I misunderstood what you are doing?

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list