Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Nginx Rate Limiting count for a whole subnet, not just per IP

I have a defined zone in Nginx for limiting requests, it's plain straight forward as described in their documentation:

limit_req_zone $binary_remote_addr zone=leash:10m rate=18r/s;

So far so good.

It works great with clients who act offensively, but recently some of them have started rotating their IP addresses while accessing my service, mostly within a /24 range, so I was wondering is it possibble to apply the zone connection count limit to a whole IP range (not just per IP), something like a --connlimit-mask 24 flag would do with iptables...?

like image 842
Istvan Prosinger Avatar asked Oct 29 '22 13:10

Istvan Prosinger


1 Answers

The easiest way would be a nginx combo of map and geo directives which would also give you the most flexibility, IMHO.

geo $geoRateBlacklist {
    default        0;
    192.0.0.0/24   1;
    10.0.0.0/24    1;
    172.0.0.0/24   1;
}

map $geoRateBlacklist $rateBlacklist {
    1              $binary_remote_addr;
    0              "";
}

limit_req_zone $rateBlacklist zone=leash:10m rate=18r/s;

Quickly done from memory but should work.

like image 189
Shawn C. Avatar answered Dec 21 '22 17:12

Shawn C.