nginx directives geo and map behind proxy

Francis Daly francis at
Sat Mar 16 09:33:12 UTC 2019

On Fri, Mar 15, 2019 at 10:34:40AM -0400, gogan wrote:

Hi there,

> In both situations I see real client IP addresses in server log on
> webservers and proxy/loadbalancer.
> In situation 1 traffic is general limited without exceptions. 
> In situation 2 traffic is limited as expected, all is fine.

> geo $limited {
>   default 0;
>   x.x.x.x 1;
> }    
> map $limited $botlimit {
>   1 '';
>   0 $remote_addr;
> }

That config says that requests with $remote_addr set to x.x.x.x should
not be limited, and everything else should be limited.

> # get x-real-ip from myracloud
> set_real_ip_from x.x.x.x;
> real_ip_header   CF-Connecting-IP;

The comment mentions x-real-ip, but the code says CF-Connecting-IP. 

Does myracloud set the Cloudflare header?

If you temporarily add the config stanza to nginx at server level:

  location = /iptest {
    return 200 "CF-Connecting-IP: $http_cf_connecting_ip;\nX-Real-IP: $http_x_real_ip\n;remote_addr: $remote_addr;\nreal remote: $realip_remote_addr;\ngeo: $limited;\nbotlimit: $botlimit\n";

and make some requests for /iptest, which lines show the address x.x.x.x
and which lines show the real client IP address?

That might help show what the actual incoming requests look like.

Francis Daly        francis at

More information about the nginx mailing list