limit_req_zone for IPv6 subnets
Christian Staudte
christian at staudte.it
Sun Apr 4 20:13:46 UTC 2021
Hello,
regarding rate limiting in IPv6 configurations I see the following
problem: As normally a subnet between a /56 and a /64 is assigned to a
client by an ISP, and both $binary_remote_addr and $remote_addr always
contain the whole IPv6 address, a single client can always spoof the
rate limiter by simply choosing another IPv6 address from his own subnet.
Currently I have two options to avoid this:
a) Disabling IPv6 (well, not really considering that)
b) Using application-level rate limiting in PHP which is awkwardly slow
Did I miss some configuration options or some dirty hack to do the rate
limit matching for example on /64 subnets, or is this simply not
possible in nginx?
Regards, Chris
More information about the nginx
mailing list