Welcome! Log In Create A New Profile

Advanced

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Francis Daly
September 13, 2016 07:24PM
On Tue, Sep 13, 2016 at 04:07:51PM -0400, c0nw0nk wrote:

Hi there,

> Oh in that case then in didn't work when i tried it with the following
> configuration.

It looks like configuration like this should probably work; but perhaps
some parts were lost in the copy-paste.

However, if you have the chance to test, could you try adding

location = /test {
return 200 "x-forwarded-for=:$http_x_forwarded_for:
cf-connecting-ip=:$http_cf_connecting_ip:\n";
}

the the appropriate server{} block, and running

curl -H X-Forwarded-For:1.2.3.4 -H CF-Connecting-IP:2.3.4.5 http://your-server/test

and seeing what the output is?

If my reading of

https://support.cloudflare.com/hc/en-us/articles/200170986

is correct, I think you should see x-forwarded-for having two values
(I suspect that 1.2.3.4 will be first, despite what that web page says)
and cf-connecting-ip having a value which does not include 2.3.4.5.

If that "single-valued cf-connecting-ip" is true, then you should be
able to omit all of the set_real_ip_from directives without breaking
your config. (And therefore, you will not need to worry about keeping
the list of them up to date.

> limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
> limit_conn_zone $binary_remote_addr zone=addr:10m;

For what it's worth:

quick tests here show that stock nginx *does* correctly set
$binary_remote_addr to be a compact representation of $remote_addr, even
when real_ip_header is being used. So what you are trying to do, can work.

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:09AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 04:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

gariac September 13, 2016 05:36AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 05:51AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 07:16AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 07:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:07AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:17AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 13, 2016 08:26AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 09:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 13, 2016 10:08AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 10:41AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 13, 2016 03:36PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 04:07PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 13, 2016 08:02PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 12:48AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 04:10AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

itpp2012 September 14, 2016 06:52AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

c0nw0nk September 14, 2016 08:23AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Francis Daly September 13, 2016 07:24PM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

FinalX September 14, 2016 07:06AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

Reinis Rozitis September 14, 2016 07:34AM

Re: Keeping your Nginx limit_* Anti-DDoS behind CloudFlare's servers

B.R. September 14, 2016 09:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 71
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready