limit_req_zone for IPv6 subnets

Maxim Dounin mdounin at
Sun Apr 4 23:13:36 UTC 2021


On Sun, Apr 04, 2021 at 10:13:46PM +0200, Christian Staudte wrote:

> regarding rate limiting in IPv6 configurations I see the following
> problem: As normally a subnet between a /56 and a /64 is assigned to a
> client by an ISP, and both $binary_remote_addr and $remote_addr always
> contain the whole IPv6 address, a single client can always spoof the
> rate limiter by simply choosing another IPv6 address from his own subnet.
> Currently I have two options to avoid this:
> a) Disabling IPv6 (well, not really considering that)
> b) Using application-level rate limiting in PHP which is awkwardly slow
> Did I miss some configuration options or some dirty hack to do the rate
> limit matching for example on /64 subnets, or is this simply not
> possible in nginx?

You can use anything as a key in limit_req_zone, including your 
own variables.  If you want to limit IPv6 addresses per /64 
subnets, something like this should work:

map $binary_remote_addr $subnet {
    "~^(\C{8})"         $1;
    default             $binary_remote_addr;

limit_req_zone $subnet zone=one:10m rate=1r/s;

Maxim Dounin

More information about the nginx mailing list