Welcome! Log In Create A New Profile

Advanced

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

September 13, 2016 04:51AM
I was going to do a cookie method but its bad because on browsers with no cookies that make legitimate requests (first time visitors maybe that don't have a cookie set) or browsers on legitimate users who disable cookies or use extensions / add-ons to only whitelist cookies from sites they specifically allow like facebook, youtube etc.

So that's why I decide to peruse the connection and requests per second / min limits because it can't be spoofed by the server proxying / making the request.

It is so easy for me to proxy and spoof those client headers its pretty funny.

proxy_set_header "User-Agent" "custom agent";
proxy_set_header "Cookie" "cookiename=cookievalue";
proxy_set_header "Referer" "networkflare.com";

And my example above is why I am not trusting the client for anything and want to go with the one thing they can't fake to me their IP.




gariac Wrote:
-------------------------------------------------------
> ‎What about Roboo? It requires a cookie on the website before the
> download takes place. (My usual warning this is my understanding of
> how it works, but I have no first hand knowledge.) I presume the hot
> linkers won't have the cookie.
>
> https://github.com/yuri-gushin/Roboo
>
>   Original Message  
> From: c0nw0nk
> Sent: Tuesday, September 13, 2016 1:09 AM
> To: nginx@nginx.org
> Reply To: nginx@nginx.org
> Subject: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's
> servers
>
> So I noticed some unusual stuff going on lately mostly to do with
> people
> using proxies to spoof / fake that files from my sites are hosted of
> their
> sites.
>
> Sitting behind CloudFlare the only decent way I can come up with to
> prevent
> these websites who use proxy_pass and proxy_set_header to pretend that
> files
> they are really hotlinking of my site is on and hosted by theirs is
> using
> Nginx's built in Anti-DDoS feature.
>
> Now if I was to use "$binary_remote_addr" I would end up blocking
> CloudFlare
> IP's from serving traffic but CloudFlare do provide us with the real
> IP
> address of users that pass through their service.
> It comes in the form of "HTTP_CF_CONNECTING_IP"
>
> But when it comes to limiting files that are being hot linked to break
> their
> servers from serving traffic they are stealing from mine I don't know
> if I
> should be using "$http_cf_connecting_ip" or the equivalent with
> "$binary_"
> ?
>
> limit_req_zone $http_cf_connecting_ip zone=one:10m rate=30r/m;
> limit_conn_zone $http_cf_connecting_ip zone=addr:10m;
>
> location ~ \.mp4$ {
> limit_conn addr 10; #Limit open connections from same ip
> limit_req zone=one; #Limit max number of requests from same ip
>
> mp4;
> limit_rate_after 1m; #Limit download rate
> limit_rate 1m; #Limit download rate
> root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
> expires max;
> valid_referers none blocked networkflare.com *.networkflare.com;
> if ($invalid_referer) {
> return 403;
> }
> }
>
> So the above is my config that should work I have not tested it yet
> but I
> really wanted to know what the purpose of the "$binary_" on these
> would be
> and if i should make them resemble this. (Not even sure if the below
> is
> correct I am sure someone will correct me if
> "$binary_http_cf_connecting_ip"
> won't work.)
>
> limit_req_zone $binary_http_cf_connecting_ip zone=one:10m rate=30r/m;
> limit_conn_zone $binary_http_cf_connecting_ip zone=addr:10m;
>
> Thanks for reading :) looking forward to anyone's better idea's /
> solutions
> and also recommended changes to preventing stealing of my bandwidth on
> these
> kinds of static files that can be up to >=2GB in size.
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,269502,269502#msg-269502
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

http://www.networkflare.com/
Subject Author Posted

Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:09AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 04:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 05:36AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 07:16AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 07:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:07AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:17AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 08:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 09:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 13, 2016 10:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 10:41AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 13, 2016 03:36PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:07PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:02PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 12:48AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 04:10AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 06:52AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 08:23AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Francis Daly September 13, 2016 07:24PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

FinalX September 14, 2016 07:06AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 14, 2016 07:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 14, 2016 09:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 253
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready