B.R. Wrote: ------------------------------------------------------- > You were just told the best way to get a meaningful > $binary_remote_addr > variable using CloudFlare, with the added bonus of a list of network > ranges > to use with set_real_ip_from to only filter out CloudFlare's IP > addresses > as sources to be repalced and avoid false positives. > > Using the $binary_remote_addr variable takes less space inside your > fixed-sized zone, thus allowing to store more entries. > I suggest you carefully read on the impacts of filling-up the zone > memory > and why using as little data per client is highly advised in > limit_req_zone > <http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_re > q_zone> > directive docs as you do not seem to know what you are doing... > --- > *B. R.* > > On Tue, Sep 13, 2016 at 3:08 PM, c0nw0nk <nginx-fo...@forum.nginx.org> > wrote: > > > Reinis Rozitis Wrote: > > ------------------------------------------------------- > > > > But that book says it is to reduce the memory footprint ? > > > > > > Correct, but that is for that specific varible. > > > > > > You can't take $http_cf_connecting_ip which is a HTTP header > comming > > > from > > > Cloudflare and prepend $binary_ just to "lower memory footprint". > > > There is no such functionality. > > > > > > > > > What you might do is still use $binary_remote_addr but in > combination > > > with > > > RealIP module ( > > > http://nginx.org/en/docs/http/ngx_http_realip_module.html ): > > > > > > real_ip_header CF-Connecting-IP; > > > > > > Detailed guide from Cloudflare: > > > ( > > > > https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-re > > > store-original-visitor-IP-with-Nginx- > > > ) > > > > > > > > > Theoretically it should work but to be sure you would need to test > it > > > or ask > > > a nginx dev for confirmation if the realip module takes precedence > and > > > > > > updates also the ip binary variable before the limit_req module. > > > > > > rr > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx@nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > > > Thanks for the info :) For now I will just stick with what I know is > > currently working either way I believe the stored key in memory > won't be > > compressed due to being behind cloudflare's reverse proxy as you > said only > > $binary_remote_addr is compressing their IP to reduce memory > footprint. > > > > Here is my config for anyone who wants to test or play around same > as in > > original email. > > > > map $http_cf_connecting_ip $client_ip_from_cf { > > default $http_cf_connecting_ip; > > } > > > > limit_req_zone $client_ip_from_cf zone=one:10m rate=30r/m; > > limit_conn_zone $client_ip_from_cf zone=addr:10m; > > > > location ~ \.mp4$ { > > limit_conn addr 10; #Limit open connections from same ip > > limit_req zone=one; #Limit max number of requests from same ip > > > > mp4; > > limit_rate_after 1m; #Limit download rate > > limit_rate 1m; #Limit download rate > > root '//172.168.0.1/StorageServ1/server/networkflare/public_www'; > > expires max; > > valid_referers none blocked networkflare.com *.networkflare.com; > > if ($invalid_referer) { > > return 403; > > } > > } > > > > Posted at Nginx Forum: https://forum.nginx.org/read. > > php?2,269502,269521#msg-269521 > > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx > > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx
Yes I can't test it at the moment unfortunately with the realip module due to the fact i use "itpp2012" Nginx builds http://nginx-win.ecsds.eu/ They do not come compiled with the realip module (for now ?) My above config I have tested and works great I do wish to leave a smaller memory footprint how ever but not really anyway I can do that currently. But I can increase the zone size I have a total of 32gb of ram and I don't know how big the foot print of a single request is but I doubt it will fill up that much ? But from my understanding of the earlier email all I will require is this added to my config (hope it is just that single line) real_ip_header CF-Connecting-IP; limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; limit_conn_zone $binary_remote_addr zone=addr:10m; location ~ \.mp4$ { limit_conn addr 10; #Limit open connections from same ip limit_req zone=one; #Limit max number of requests from same ip mp4; limit_rate_after 1m; #Limit download rate limit_rate 1m; #Limit download rate root '//172.168.0.1/StorageServ1/server/networkflare/public_www'; expires max; valid_referers none blocked networkflare.com *.networkflare.com; if ($invalid_referer) { return 403; } } And that should be all would be a pain if I have to manually include the cloudflare Ip's too since when ever they add more servers to their network and new geological locations / datacenter to serve traffic from would mean those locations will be blocked until I add their IP's in. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269502,269528#msg-269528 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
