Hello! On Thu, May 23, 2024 at 10:49:13AM +0200, Marcello Lorenzi wrote:
> Hi All, > we have configured a reverse proxy behind an haproxy load balancer and we > used PROXY PROTOCOL to forward the real IP to the backends. All worked fine > but if we enabled the ngx_http_limit_req_module and we based our > limit_req_zone rule to the $binary_remote_addr we noticed that all requests > received from the haproxy server have been blocked. > > Do we have to use the $proxy_remote_addr variable to avoid this issue? We > tried to implement the variable but the block didn't work. If you are running limit_req behind a load balancer, there are two basic options: 1. Configure set_real_ip_from/real_ip_header (http://freenginx.org/r/set_real_ip_from), so the client address as seen by [free]nginx ill be set to the one obtained from the load balancer, including $remote_addr and $binary_remote_addr variables. 2. Use appropriate variable with the client address, such as $proxy_protocol_addr (http://freenginx.org/r/$proxy_protocol_addr), directly in the limit_req_zone configuration. Both variants should work fine as long as configured correctly. Note though that limit_req by default delays excessive requests, and to get an error you'll have to use a client which is able to do multiple parallel requests. Testing "limit_req ... nodelay;" could be easier. If you hare having troubles with configuring things, consider sharing your configuration. Hope this helps. -- Maxim Dounin http://mdounin.ru/ -- nginx mailing list nginx@freenginx.org https://freenginx.org/mailman/listinfo/nginx
