Hello, Maxim I understand your explanation and thanks for reply.
I tried to replace $binary_remote_addr (not $remote_addr for performance reason) with True-Client-IP header which is Akamai CDN Server will send, via ngx_http_limit_req_module and use as a shared memory zone key. On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote: > > > Hello, > > I tried to limit an IPv4 Address with ngx_http_limit_req module and > > ngx_realip_module via Akamai would send True-Client-IP headers. > > > > According to the document ngx_http_readip_module( > > http://nginx.org/en/docs/http/ngx_http_realip_module.html), > > we can write set_real_ip_from and real-_ip_header directive in http, > > server, location context. > > > > But, in the above case(ngx_http_limit_req module is defined the key in > http > > context), directives on ngx_http_realip_module must be defined before the > > keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed > > limit_req_zone directive in http context. > > Not really. There is no such requirement, that is, there is need > to place limit_req_zone and set_real_ip_from on the same level or > even in a particular order. > > For example, the following configuration will work perfectly: > > limit_req_zone $remote_addr zone=limit:1m rate=1r/m; > limit_req zone=limit; > > server { > listen 80; > > location / { > set_real_ip_from 127.0.0.1; > real_ip_header X-Real-IP; > } > } > > A problem may happen though if you configured the realip module in > a location context, but use the address in different contexts. > For example, the following will limit requests based on the > connection's address, not the one set with realip: > > limit_req_zone $remote_addr zone=limit:1m rate=1r/m; > limit_req zone=limit; > > server { > listen 80; > > location / { > try_files $uri @fallback; > } > > location @fallback { > set_real_ip_from 127.0.0.1; > real_ip_header X-Real-IP; > proxy_pass ... > } > } > > In the above configuration, limit_req will work at the "location /" > context, and the realip module in "location @fallback" won't be > effective. For more confusion, the $remote_addr variable will be > cached once used by limit_req, and attempts to use it even in the > location @fallback will return the original value, not changed by > the realip module. > > Summing up the above, it is certainly possible to use the realip > module with limit_req regardless of levels. They may interact > unexpectedly in complex configurations though, and hence it is > a good idea to avoid using set_real_ip_from / real_ip_header in > location context unless you understand what you are doing. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
