Welcome! Log In Create A New Profile

Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Forum List Message List New Topic Print View

c0nw0nk

September 13, 2016 04:09AM

Registered: 10 years ago
Posts: 210

So I noticed some unusual stuff going on lately mostly to do with people using proxies to spoof / fake that files from my sites are hosted of their sites.

Sitting behind CloudFlare the only decent way I can come up with to prevent these websites who use proxy_pass and proxy_set_header to pretend that files they are really hotlinking of my site is on and hosted by theirs is using Nginx's built in Anti-DDoS feature.

Now if I was to use "$binary_remote_addr" I would end up blocking CloudFlare IP's from serving traffic but CloudFlare do provide us with the real IP address of users that pass through their service.
It comes in the form of "HTTP_CF_CONNECTING_IP"

But when it comes to limiting files that are being hot linked to break their servers from serving traffic they are stealing from mine I don't know if I should be using "$http_cf_connecting_ip" or the equivalent with "$binary_" ?

limit_req_zone $http_cf_connecting_ip zone=one:10m rate=30r/m;
limit_conn_zone $http_cf_connecting_ip zone=addr:10m;

location ~ \.mp4$ {
limit_conn addr 10; #Limit open connections from same ip
limit_req zone=one; #Limit max number of requests from same ip

mp4;
limit_rate_after 1m; #Limit download rate
limit_rate 1m; #Limit download rate
root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
expires max;
valid_referers none blocked networkflare.com *.networkflare.com;
if ($invalid_referer) {
return 403;
}
}

So the above is my config that should work I have not tested it yet but I really wanted to know what the purpose of the "$binary_" on these would be and if i should make them resemble this. (Not even sure if the below is correct I am sure someone will correct me if "$binary_http_cf_connecting_ip" won't work.)

limit_req_zone $binary_http_cf_connecting_ip zone=one:10m rate=30r/m;
limit_conn_zone $binary_http_cf_connecting_ip zone=addr:10m;

Thanks for reading :) looking forward to anyone's better idea's / solutions and also recommended changes to preventing stealing of my bandwidth on these kinds of static files that can be up to >=2GB in size.

http://www.networkflare.com/

Reply Quote

RSS

Subject	Author	Posted
Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 04:09AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	gariac	September 13, 2016 04:34AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 04:51AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 05:34AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	gariac	September 13, 2016 05:36AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 05:51AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 07:16AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	Reinis Rozitis	September 13, 2016 07:26AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 08:07AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 08:17AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	Reinis Rozitis	September 13, 2016 08:26AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 09:08AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	B.R.	September 13, 2016 10:08AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 10:41AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	itpp2012	September 13, 2016 03:36PM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 04:07PM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 13, 2016 08:02PM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	itpp2012	September 14, 2016 12:48AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 14, 2016 04:10AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	itpp2012	September 14, 2016 06:52AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	c0nw0nk	September 14, 2016 08:23AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	Francis Daly	September 13, 2016 07:24PM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	FinalX	September 14, 2016 07:06AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	Reinis Rozitis	September 14, 2016 07:34AM
Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers	B.R.	September 14, 2016 09:02AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 306

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018