limit_req_zone for IPv6 subnets

Christian Staudte christian at
Sun Apr 4 20:13:46 UTC 2021


regarding rate limiting in IPv6 configurations I see the following
problem: As normally a subnet between a /56 and a /64 is assigned to a
client by an ISP, and both $binary_remote_addr and $remote_addr always
contain the whole IPv6 address, a single client can always spoof the
rate limiter by simply choosing another IPv6 address from his own subnet.

Currently I have two options to avoid this:
a) Disabling IPv6 (well, not really considering that)
b) Using application-level rate limiting in PHP which is awkwardly slow

Did I miss some configuration options or some dirty hack to do the rate
limit matching for example on /64 subnets, or is this simply not
possible in nginx?

Regards, Chris

More information about the nginx mailing list