nginx directives geo and map behind proxy

Francis Daly francis at daoine.org
Sat Mar 16 09:33:12 UTC 2019


On Fri, Mar 15, 2019 at 10:34:40AM -0400, gogan wrote:

Hi there,

> In both situations I see real client IP addresses in server log on
> webservers and proxy/loadbalancer.
> 
> In situation 1 traffic is general limited without exceptions. 
> In situation 2 traffic is limited as expected, all is fine.

> geo $limited {
>   default 0;
>   x.x.x.x 1;
> }    
>  
> map $limited $botlimit {
>   1 '';
>   0 $remote_addr;
> }

That config says that requests with $remote_addr set to x.x.x.x should
not be limited, and everything else should be limited.

> # get x-real-ip from myracloud
> set_real_ip_from x.x.x.x;
> 
> real_ip_header   CF-Connecting-IP;

The comment mentions x-real-ip, but the code says CF-Connecting-IP. 

Does myracloud set the Cloudflare header?

If you temporarily add the config stanza to nginx at server level:

  location = /iptest {
    return 200 "CF-Connecting-IP: $http_cf_connecting_ip;\nX-Real-IP: $http_x_real_ip\n;remote_addr: $remote_addr;\nreal remote: $realip_remote_addr;\ngeo: $limited;\nbotlimit: $botlimit\n";
  }

and make some requests for /iptest, which lines show the address x.x.x.x
and which lines show the real client IP address?

That might help show what the actual incoming requests look like.

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list