Limit_req and IP white listing on 0.8.55

Hello!

I’ve followed this reference:

http://forum.nginx.org/read.php?2,228956,228961#msg-228961

To produce the following config:
http {
geo $public_vs_our_networks {
default 1;
127.0.0.1/32 0;
… my networks …
}
map $public_vs_our_networks $limit_public {
1 $binary_remote_addr;
0 “”;
}
limit_req_zone $limit_public zone=public_facing_network:10m
rate=40r/m;

server {

location / {

limit_req zone=public_facing_network burst=5
nodelay;

proxy_pass http://my_upstream;
}
}
}

Unfortunately-- my error logs quickly filled up with clients who were
incorrectly rate limited. It was as if this configuration created 1
bucket
for ALL the public facing clients, as opposed to individually bucketing
each
public client by their $binary_remote_addr. Please advise on what I
might
be missing.

Thanks for your help!

-Nick

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,238757,238757#msg-238757

Hello!

On Tue, Apr 30, 2013 at 07:25:22PM -0400, nauger wrote:

            127.0.0.1/32        0;
            ...

Unfortunately-- my error logs quickly filled up with clients who were
incorrectly rate limited. It was as if this configuration created 1 bucket
for ALL the public facing clients, as opposed to individually bucketing each
public client by their $binary_remote_addr. Please advise on what I might
be missing.

Variables can be used as a result of a map only in nginx 0.9.0+,
see http://nginx.org/r/map. You have to upgrade for the above to
work.


Maxim D.
http://nginx.org/en/donation.html

Hi Maxim,

Thank you-- that makes sense. Before upgrading, is it possible to
implement
this white list behavior using a different mechanism?

Thanks again,

-Nick

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,238757,238760#msg-238760

Hello!

On Wed, May 01, 2013 at 12:04:12AM -0400, nauger wrote:

Hi Maxim,

Thank you-- that makes sense. Before upgrading, is it possible to implement
this white list behavior using a different mechanism?

You may try to use if + set at server level instead of map.


Maxim D.
http://nginx.org/en/donation.html