Welcome! Log In Create A New Profile

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Forum List Message List New Topic Print View

Maxim Dounin

February 28, 2017 08:42AM

Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
>
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
>
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really. There is no such requirement, that is, there is need
to place limit_req_zone and set_real_ip_from on the same level or
even in a particular order.

For example, the following configuration will work perfectly:

limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
limit_req zone=limit;

server {
listen 80;

location / {
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
}
}

A problem may happen though if you configured the realip module in
a location context, but use the address in different contexts.
For example, the following will limit requests based on the
connection's address, not the one set with realip:

limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
limit_req zone=limit;

server {
listen 80;

location / {
try_files $uri @fallback;
}

location @fallback {
set_real_ip_from 127.0.0.1;
real_ip_header X-Real-IP;
proxy_pass ...
}
}

In the above configuration, limit_req will work at the "location /"
context, and the realip module in "location @fallback" won't be
effective. For more confusion, the $remote_addr variable will be
cached once used by limit_req, and attempts to use it even in the
location @fallback will return the original value, not changed by
the realip module.

Summing up the above, it is certainly possible to use the realip
module with limit_req regardless of levels. They may interact
unexpectedly in complex configurations though, and hence it is
a good idea to avoid using set_real_ip_from / real_ip_header in
location context unless you understand what you are doing.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
set_real_ip_from,real_ip_header directive in ngx_http_realip_module	Nishikubo Minoru	February 27, 2017 08:00PM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	Maxim Dounin	February 28, 2017 08:42AM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	Nishikubo Minoru	February 28, 2017 07:58PM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	foxgab	June 29, 2017 09:08AM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	Maxim Dounin	June 29, 2017 11:34AM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	foxgab	July 03, 2017 04:57AM
Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module	Maxim Dounin	July 03, 2017 09:10AM
Re: set_real_ip_from,real_ip_header directive in ngx_http_realip_module	mohitmehral	March 23, 2017 01:45AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 289

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018