Hello!
On Sun, Apr 04, 2021 at 10:13:46PM +0200, Christian Staudte wrote:
> regarding rate limiting in IPv6 configurations I see the following
> problem: As normally a subnet between a /56 and a /64 is assigned to a
> client by an ISP, and both $binary_remote_addr and $remote_addr always
> contain the whole IPv6 address, a single client can always spoof the
> rate limiter by simply choosing another IPv6 address from his own subnet.
>
> Currently I have two options to avoid this:
> a) Disabling IPv6 (well, not really considering that)
> b) Using application-level rate limiting in PHP which is awkwardly slow
>
> Did I miss some configuration options or some dirty hack to do the rate
> limit matching for example on /64 subnets, or is this simply not
> possible in nginx?
You can use anything as a key in limit_req_zone, including your
own variables. If you want to limit IPv6 addresses per /64
subnets, something like this should work:
map $binary_remote_addr $subnet {
"~^(\C{8})" $1;
default $binary_remote_addr;
}
limit_req_zone $subnet zone=one:10m rate=1r/s;
--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
