nginx ngx_http_limit_req_module and PROXY PROTOCOL
Maxim Dounin
mdounin at mdounin.ru
Thu May 23 12:25:16 UTC 2024
Hello!
On Thu, May 23, 2024 at 10:49:13AM +0200, Marcello Lorenzi wrote:
> Hi All,
> we have configured a reverse proxy behind an haproxy load balancer and we
> used PROXY PROTOCOL to forward the real IP to the backends. All worked fine
> but if we enabled the ngx_http_limit_req_module and we based our
> limit_req_zone rule to the $binary_remote_addr we noticed that all requests
> received from the haproxy server have been blocked.
>
> Do we have to use the $proxy_remote_addr variable to avoid this issue? We
> tried to implement the variable but the block didn't work.
If you are running limit_req behind a load balancer, there are two
basic options:
1. Configure set_real_ip_from/real_ip_header
(http://freenginx.org/r/set_real_ip_from), so the client address
as seen by [free]nginx ill be set to the one obtained from the
load balancer, including $remote_addr and $binary_remote_addr
variables.
2. Use appropriate variable with the client address, such as
$proxy_protocol_addr
(http://freenginx.org/r/$proxy_protocol_addr), directly in the
limit_req_zone configuration.
Both variants should work fine as long as configured correctly.
Note though that limit_req by default delays excessive requests,
and to get an error you'll have to use a client which is able to
do multiple parallel requests. Testing "limit_req ... nodelay;"
could be easier.
If you hare having troubles with configuring things, consider
sharing your configuration.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list