Quantcast

set_real_ip_from,real_ip_header directive in ngx_http_realip_module

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

set_real_ip_from,real_ip_header directive in ngx_http_realip_module

Nishikubo Minoru
Hello,
I tried to limit an IPv4 Address with ngx_http_limit_req module and
ngx_realip_module via Akamai would send True-Client-IP headers.

According to the document ngx_http_readip_module(http://nginx.org/en/docs/http/ngx_http_realip_module.html),
we can write set_real_ip_from and real-_ip_header directive in http,
server, location context.

But, in the above case(ngx_http_limit_req module is defined the key in http context), directives on ngx_http_realip_module must be defined before the keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed limit_req_zone directive in http context.

I think it better that the document explained ngx_http_realip_module directive is configured before ngx_http_limit_req module configuration.

Our environment is Amazon Linux on AWS EC2 package and nginx version was
1.10.1.

If you already plan to improve the documentation and you know, please let me know and I will check it out.

Thanks.

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Maxim Dounin
Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
>
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
>
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really.  There is no such requirement, that is, there is need
to place limit_req_zone and set_real_ip_from on the same level or
even in a particular order.

For example, the following configuration will work perfectly:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;
               
    server {
        listen 80;
               
        location / {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
        }
   }

A problem may happen though if you configured the realip module in
a location context, but use the address in different contexts.  
For example, the following will limit requests based on the
connection's address, not the one set with realip:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            try_files $uri @fallback;
        }

        location @fallback {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
            proxy_pass ...
        }
    }

In the above configuration, limit_req will work at the "location /"
context, and the realip module in "location @fallback" won't be
effective.  For more confusion, the $remote_addr variable will be
cached once used by limit_req, and attempts to use it even in the
location @fallback will return the original value, not changed by
the realip module.

Summing up the above, it is certainly possible to use the realip
module with limit_req regardless of levels.  They may interact
unexpectedly in complex configurations though, and hence it is
a good idea to avoid using set_real_ip_from / real_ip_header in
location context unless you understand what you are doing.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

Nishikubo Minoru
Hello, Maxim

I understand your explanation and thanks for reply.

I tried to replace $binary_remote_addr (not $remote_addr for performance reason) with True-Client-IP header which is Akamai CDN Server will send, via ngx_http_limit_req_module and use as a shared memory zone key. 


On Tue, Feb 28, 2017 at 10:40 PM, Maxim Dounin <[hidden email]> wrote:
Hello!

On Tue, Feb 28, 2017 at 09:58:05AM +0900, Nishikubo Minoru wrote:

> Hello,
> I tried to limit an IPv4 Address with ngx_http_limit_req module and
> ngx_realip_module via Akamai would send True-Client-IP headers.
>
> According to the document ngx_http_readip_module(
> http://nginx.org/en/docs/http/ngx_http_realip_module.html),
> we can write set_real_ip_from and real-_ip_header directive in http,
> server, location context.
>
> But, in the above case(ngx_http_limit_req module is defined the key in http
> context), directives on ngx_http_realip_module must be defined before the
> keys(a.k.a replaced IPv4 adress by ngx_http_realip_module) and followed
> limit_req_zone directive in http context.

Not really.  There is no such requirement, that is, there is need
to place limit_req_zone and set_real_ip_from on the same level or
even in a particular order.

For example, the following configuration will work perfectly:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
        }
   }

A problem may happen though if you configured the realip module in
a location context, but use the address in different contexts.
For example, the following will limit requests based on the
connection's address, not the one set with realip:

    limit_req_zone $remote_addr zone=limit:1m rate=1r/m;
    limit_req zone=limit;

    server {
        listen 80;

        location / {
            try_files $uri @fallback;
        }

        location @fallback {
            set_real_ip_from 127.0.0.1;
            real_ip_header X-Real-IP;
            proxy_pass ...
        }
    }

In the above configuration, limit_req will work at the "location /"
context, and the realip module in "location @fallback" won't be
effective.  For more confusion, the $remote_addr variable will be
cached once used by limit_req, and attempts to use it even in the
location @fallback will return the original value, not changed by
the realip module.

Summing up the above, it is certainly possible to use the realip
module with limit_req regardless of levels.  They may interact
unexpectedly in complex configurations though, and hence it is
a good idea to avoid using set_real_ip_from / real_ip_header in
location context unless you understand what you are doing.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: set_real_ip_from, real_ip_header directive in ngx_http_realip_module

purvez
In reply to this post by Nishikubo Minoru
Dear Nishikubo,

Have got resolution. In-fact we are facing similar issue while integrated
through Akamai.

You help is appreciable!

Thanks
Mohit M

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,272653,273134#msg-273134

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...