Limit_conn - block offending ips

Hi forum and thanks Igor for the most amazing software;
now I have spent some time looking for a way to make use of the
limit_conn directive to block offending ip addresses, but can’t seem to
figure out a way to do so.

Is there a possibility to check, inside nginx.conf, for
$limit_conn_triggered or something like that? Use case - I am protecting
a backend server with limit_conn zone_name 2; and want to collect ips
that violate that limit for blocking in the firewall. Parsing logs is a
possible but extremely ineffective solution, especially under a DDOS, so
I was looking for a way to either block violators using nginx
configuration or emit the ip address to iptables/apf/etc.

Currently I can only deny parallel requests or limit_req them, which
surely does increase the number of attackers needed to kill the server
but does not solve the problem. Somehow, I feel there should be a
solution (nginx module or directive I’m missing) which could ban based
on triggered limit_conn. Thanks for any tips :slight_smile:

Posted at Nginx Forum: