Nginx rate limit and real IP module

Question

I have an Nginx server pool behind a CDN + load balancer setup. CDN caches HTTP "read" requests (GET, HEAD, OPTIONS) and bypasses "write" requests (POST).

I'm using real_ip module to get clients' IPs from X-FORWARD-FOR header in a configuration like this:

set_real_ip_from <trusted_cidr1>
set_real_ip_from <trusted_cidr2>
...
real_ip_recursive on;
real_ip_header X-Forwarded-For;

It can confirm it works. But, I also want to limit the request rate per client (I will assume every IP is a distinct client), to avoid robots and attacks, so I'm using limit_req module as follows:

http {

  limit_req_zone $binary_remote_addr zone=perip:10m rate=10r/s;

  location / {
    limit_req zone=perip burst=5;
  }

}

So, my question is: will $binary_remote_addr assume the original client's IP, the real originator of the request, once I configured real_ip, or internally Nginx doesn't override this as I'm expecting? Because if it doesn't, a configuration like that will certainly cause me serious problems.

I suppose Nginx is smart enough for that, but once I couldn't find a confirmation about it on documentation and didn't have the chance to test it in a real and distributed scenario so far, I hope someone with previous experience doing this could tell me.

Thank you.

Answer 1

No answer so far, so I'm doing it.

I verified it myself - real_ip module changes the value of the connection origin internally, and for all intents and purposes, everything related to the source of the connection becomes that IP (got from X-Forward-For, X-Real-IP, etc), including $binary_remote_addr variable. So, it's safe to use it with request limit configuration.

Obs: on the other hand, it saves the connection original IP on $realip_remote_addr.