Whitelisting IP addresses for ratelimiting

I have my configuration set up based on the information at

as follows:

http {

geo $unlimited {
default 1;
192.168.45.56/32 0;
}

limit_req_zone $binary_remote_addr zone=unlimited:10m rate=10r/m;

server {

location / {
limit_req zone=unlimited burst=5;
}
}
}

I believe this should mean that requests from IP address 192.168.45.56
are not subject to the rate limiting, but it isn’t working (they do get
blocked by the rate limiting) and I can’t see why.

Is my configuration obviously wrong somewhere?

And if not, is there any way I can easily debug why the rate-limiting is
being applied?

Thanks,
James

On 25/07/12 13:53, James Fidell wrote:

}

limit_req_zone $binary_remote_addr zone=unlimited:10m rate=10r/m;

server {

location / {
limit_req zone=unlimited burst=5;
}
}
}

I realise it may be much clearer if I did s/unlimited/limited/ on this
config file :slight_smile:

James

Hello!

On Wed, Jul 25, 2012 at 01:53:41PM +0100, James Fidell wrote:


I believe this should mean that requests from IP address 192.168.45.56
are not subject to the rate limiting, but it isn’t working (they do get
blocked by the rate limiting) and I can’t see why.

Is my configuration obviously wrong somewhere?

Yes, it’s obviously wrong, as well as blogpost you’ve followed.
You don’t use $unlimited variable anywhere in your config, and
just use $binary_remote_addr for limiting without any exceptions.

To make an exception, you have to provide empty value for a
variable in limit_req_zone (see Module ngx_http_limit_req_module).

Correct config for exceptions based geo would be (involving
intermediate map as geo doesn’t allow variables in a resulting
value):

geo $limited {
    default           1;
    192.168.45.56/32  0;
}

map $limited $limit {
    1        $binary_remote_addr;
    0        "";
}

limit_req_zone $limit zone=foo:1m rate=10r/m;
limit_req zone=foo burst=5;

As you can see from the above config, limit_req_zone now works
based on a $limit variable, which is either client address, or an
empty string. In a latter case client isn’t limited.

Maxim D.

On 25/07/12 14:45, Maxim D. wrote:

Yes, it’s obviously wrong, as well as blogpost you’ve followed.
You don’t use $unlimited variable anywhere in your config, and
just use $binary_remote_addr for limiting without any exceptions.

I did wonder how the $unlimited variable had any effect. Foolish of
me to assume that a blog is accurate :slight_smile:

Thanks for your help.

James