limit_req_zone for IPv6 subnets
Thomas Ward
teward at thomas-ward.net
Sun Apr 4 22:57:58 UTC 2021
I dont think limit_req works on CIDR rather individual IPs. At least per the description of the module for limiting requests, it works on a single IP level not on a CIDR range level and I don't immediately see a way to make that happen - whether IPv4 or IPv6.Sent from my T-Mobile 4G LTE Device
-------- Original message --------From: Christian Staudte <christian at staudte.it> Date: 4/4/21 16:14 (GMT-05:00) To: nginx at nginx.org Subject: limit_req_zone for IPv6 subnets Hello,regarding rate limiting in IPv6 configurations I see the followingproblem: As normally a subnet between a /56 and a /64 is assigned to aclient by an ISP, and both $binary_remote_addr and $remote_addr alwayscontain the whole IPv6 address, a single client can always spoof therate limiter by simply choosing another IPv6 address from his own subnet.Currently I have two options to avoid this:a) Disabling IPv6 (well, not really considering that)b) Using application-level rate limiting in PHP which is awkwardly slowDid I miss some configuration options or some dirty hack to do the ratelimit matching for example on /64 subnets, or is this simply notpossible in nginx?Regards, Chris_______________________________________________nginx mailing listnginx at nginx.orghttp://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210404/359040fb/attachment.htm>
More information about the nginx
mailing list