Welcome! Log In Create A New Profile

Advanced

Re: Whitelisting IP addresses for ratelimiting

Maxim Dounin
July 25, 2012 09:48AM
Hello!

On Wed, Jul 25, 2012 at 01:53:41PM +0100, James Fidell wrote:

> I have my configuration set up based on the information at
> http://gadelkareem.com/2012/03/25/limit-requests-per-ip-on-nginx-using-httplimitzonemodule-and-httplimitreqmodule-except-whitelist/
> as follows:
>
> http {
> ...
> geo $unlimited {
> default 1;
> 192.168.45.56/32 0;
> }
> ...
> limit_req_zone $binary_remote_addr zone=unlimited:10m rate=10r/m;
> ...
> server {
> ...
> location / {
> limit_req zone=unlimited burst=5;
> }
> }
> }
>
> I believe this should mean that requests from IP address 192.168.45.56
> are not subject to the rate limiting, but it isn't working (they do get
> blocked by the rate limiting) and I can't see why.
>
> Is my configuration obviously wrong somewhere?

Yes, it's obviously wrong, as well as blogpost you've followed.
You don't use $unlimited variable anywhere in your config, and
just use $binary_remote_addr for limiting without any exceptions.

To make an exception, you have to provide empty value for a
variable in limit_req_zone (see http://nginx.org/r/limit_req_zone).

Correct config for exceptions based geo would be (involving
intermediate map as geo doesn't allow variables in a resulting
value):

geo $limited {
default 1;
192.168.45.56/32 0;
}

map $limited $limit {
1 $binary_remote_addr;
0 "";
}

limit_req_zone $limit zone=foo:1m rate=10r/m;
limit_req zone=foo burst=5;

As you can see from the above config, limit_req_zone now works
based on a $limit variable, which is either client address, or an
empty string. In a latter case client isn't limited.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
SubjectAuthorPosted

Whitelisting IP addresses for ratelimiting

James FidellJuly 25, 2012 08:54AM

Re: Whitelisting IP addresses for ratelimiting

James FidellJuly 25, 2012 08:58AM

Re: Whitelisting IP addresses for ratelimiting

Maxim DouninJuly 25, 2012 09:48AM

Re: Whitelisting IP addresses for ratelimiting

James FidellJuly 25, 2012 10:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 127
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 229 on August 01, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready