Welcome! Log In Create A New Profile

Advanced

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

September 13, 2016 10:41AM
B.R. Wrote:
-------------------------------------------------------
> You were just told the best way to get a meaningful
> $binary_remote_addr
> variable using CloudFlare, with the added bonus of a list of network
> ranges
> to use with set_real_ip_from to only filter out CloudFlare's IP
> addresses
> as sources to be repalced and avoid false positives.
>
> Using the $binary_remote_addr variable takes less space inside your
> fixed-sized zone, thus allowing to store more entries.
> I suggest you carefully read on the impacts of filling-up the zone
> memory
> and why using as little data per client is highly advised in
> limit_req_zone
> <http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_re
> q_zone>
> directive docs as you do not seem to know what you are doing...
> ---
> *B. R.*
>
> On Tue, Sep 13, 2016 at 3:08 PM, c0nw0nk <nginx-forum@forum.nginx.org>
> wrote:
>
> > Reinis Rozitis Wrote:
> > -------------------------------------------------------
> > > > But that book says it is to reduce the memory footprint ?
> > >
> > > Correct, but that is for that specific varible.
> > >
> > > You can't take $http_cf_connecting_ip which is a HTTP header
> comming
> > > from
> > > Cloudflare and prepend $binary_ just to "lower memory footprint".
> > > There is no such functionality.
> > >
> > >
> > > What you might do is still use $binary_remote_addr but in
> combination
> > > with
> > > RealIP module (
> > > http://nginx.org/en/docs/http/ngx_http_realip_module.html ):
> > >
> > > real_ip_header CF-Connecting-IP;
> > >
> > > Detailed guide from Cloudflare:
> > > (
> > >
> https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-re
> > > store-original-visitor-IP-with-Nginx-
> > > )
> > >
> > >
> > > Theoretically it should work but to be sure you would need to test
> it
> > > or ask
> > > a nginx dev for confirmation if the realip module takes precedence
> and
> > >
> > > updates also the ip binary variable before the limit_req module.
> > >
> > > rr
> > >
> > > _______________________________________________
> > > nginx mailing list
> > > nginx@nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> >
> > Thanks for the info :) For now I will just stick with what I know is
> > currently working either way I believe the stored key in memory
> won't be
> > compressed due to being behind cloudflare's reverse proxy as you
> said only
> > $binary_remote_addr is compressing their IP to reduce memory
> footprint.
> >
> > Here is my config for anyone who wants to test or play around same
> as in
> > original email.
> >
> > map $http_cf_connecting_ip $client_ip_from_cf {
> > default $http_cf_connecting_ip;
> > }
> >
> > limit_req_zone $client_ip_from_cf zone=one:10m rate=30r/m;
> > limit_conn_zone $client_ip_from_cf zone=addr:10m;
> >
> > location ~ \.mp4$ {
> > limit_conn addr 10; #Limit open connections from same ip
> > limit_req zone=one; #Limit max number of requests from same ip
> >
> > mp4;
> > limit_rate_after 1m; #Limit download rate
> > limit_rate 1m; #Limit download rate
> > root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
> > expires max;
> > valid_referers none blocked networkflare.com *.networkflare.com;
> > if ($invalid_referer) {
> > return 403;
> > }
> > }
> >
> > Posted at Nginx Forum: https://forum.nginx.org/read.
> > php?2,269502,269521#msg-269521
> >
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
> >
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


Yes I can't test it at the moment unfortunately with the realip module due to the fact i use "itpp2012" Nginx builds http://nginx-win.ecsds.eu/ They do not come compiled with the realip module (for now ?)

My above config I have tested and works great I do wish to leave a smaller memory footprint how ever but not really anyway I can do that currently.

But I can increase the zone size I have a total of 32gb of ram and I don't know how big the foot print of a single request is but I doubt it will fill up that much ?

But from my understanding of the earlier email all I will require is this added to my config (hope it is just that single line)

real_ip_header CF-Connecting-IP;

limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;

location ~ \.mp4$ {
limit_conn addr 10; #Limit open connections from same ip
limit_req zone=one; #Limit max number of requests from same ip

mp4;
limit_rate_after 1m; #Limit download rate
limit_rate 1m; #Limit download rate
root '//172.168.0.1/StorageServ1/server/networkflare/public_www';
expires max;
valid_referers none blocked networkflare.com *.networkflare.com;
if ($invalid_referer) {
return 403;
}
}

And that should be all would be a pain if I have to manually include the cloudflare Ip's too since when ever they add more servers to their network and new geological locations / datacenter to serve traffic from would mean those locations will be blocked until I add their IP's in.

http://www.networkflare.com/
Subject Author Posted

Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:09AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 04:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 05:36AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 07:16AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 07:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:07AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:17AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 08:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 09:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 13, 2016 10:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 10:41AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 13, 2016 03:36PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:07PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:02PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 12:48AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 04:10AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 06:52AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 08:23AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Francis Daly September 13, 2016 07:24PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

FinalX September 14, 2016 07:06AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 14, 2016 07:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 14, 2016 09:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 145
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready