Nginx检查Cloudflare是转发还是直接IP并进行相应限制 [英] Nginx check if Cloudflare forward or direct IP and limit accordingly

问题描述

我知道标头 CF-Connecting-IP ， $ binary_remote_addr ， http_x_forwarded_for

我要进行设置:

  limit_req_zone $ http_x_forwarded_for zone = k_request_limit_per_ip:10m rate = 400r/s;limit_conn_zone $ http_x_forwarded_for zone = k_connection_limit_per_ip:10m; 

---

但是Cloudflare不是要访问此计算机的唯一位置，因此我也想限制直接访问.有没有办法写类似的东西:

  if(header ==`X-Forwarded-For`){limit_req_zone $ http_x_forwarded_for zone = k_request_limit_per_ip:10m rate = 400r/s;} 别的 {limit_req_zone $ binary_remote_addr zone = k_request_limit_per_ip:10m rate = 400r/s;} 

或者类似的事情会起作用:

  limit_req_zone $ http_x_forwarded_for zone = http_zone:10m rate = 400r/s;limit_req_zone $ binary_remote_addr zone = binary_zone:10m速率= 400r/s; 

一种替代方法是完全允许所有Cloudflare IP地址.并限制非Cloudflare IP地址.

好消息来源:

• NGINX使用Cloudflare时，速率限制不起作用.我可以使用一个简单的`ab`命令关闭我的网站

解决方案

您可以使用ngx_real_ip_module. http://nginx.org/en/docs/http/ngx_http_realip_module.html

通过此操作，您可以指定Cloudflare CIDR，以使用 X-Forwarded-For 中的值覆盖 binary_remote_addr .确保您已检查到位.配置看起来像:

  set_real_ip_from 173.245.48.0/20;set_real_ip_from 103.21.244.0/22;set_real_ip_from 103.22.200.0/22;set_real_ip_from 103.31.4.0/22;set_real_ip_from 141.101.64.0/18;set_real_ip_from 108.162.192.0/18;set_real_ip_from 190.93.240.0/20;set_real_ip_from 188.114.96.0/20;set_real_ip_from 197.234.240.0/22;set_real_ip_from 198.41.128.0/17;set_real_ip_from 162.158.0.0/15;set_real_ip_from 104.16.0.0/12;set_real_ip_from 172.64.0.0/13;set_real_ip_from 131.0.72.0/22;set_real_ip_from 2400:cb00 ::/32;set_real_ip_from 2606:4700 ::/32;set_real_ip_from 2803:f800 ::/32;set_real_ip_from 2405:b500 ::/32;set_real_ip_from 2405:8100 ::/32;set_real_ip_from 2a06:98c0 ::/29;set_real_ip_from 2c0f:f248 ::/32;real_ip_header X-Forwarded-For;real_ip_recursive关闭; 

Cloudflare IP可以更改，此命令将自动将它们更新为 cloudflare_ips.conf :

  cat/dev/null>cloudflare_ips.conf&&curl -s https://www.cloudflare.com/ips-v4 |在读ip时；确实回显" set_real_ip_from $ ip;">>cloudflare_ips.conf;完成&&curl -s https://www.cloudflare.com/ips-v6 |在读ip时；确实回显" set_real_ip_from $ ip;">>cloudflare_ips.conf;完成&&printf"real_ip_header X-Forwarded-For; \ nreal_ip_recursive off; \ n"；>>cloudflare_ips.conf 

您的速率限制配置可以使用 binary_remote_addr 变量.如果客户端来自cloudflare，则CFs IP将被标头中的IP替换.如果客户端直接连接，则将使用客户端IP.如果客户端尝试发送 X-Forwarded-For 标头，则该标头将不被接受，因为客户端IP与 cloudflare_ips.conf 文件中的任何CIDR不匹配./p>

I am aware of the headers CF-Connecting-IP, $binary_remote_addr, http_x_forwarded_for

I want to make a setting:

limit_req_zone $http_x_forwarded_for zone=k_request_limit_per_ip:10m rate=400r/s;
limit_conn_zone $http_x_forwarded_for zone=k_connection_limit_per_ip:10m;

---

But Cloudflare isn't the only place that this machine is going to be accessed, so I want to limit direct access too. Is there a way to write something like:

if(header == `X-Forwarded-For`) {
  limit_req_zone $http_x_forwarded_for zone=k_request_limit_per_ip:10m rate=400r/s;
} else {
  limit_req_zone $binary_remote_addr zone=k_request_limit_per_ip:10m rate=400r/s;
}

Or would something like this work:

  limit_req_zone $http_x_forwarded_for zone=http_zone:10m rate=400r/s;
  limit_req_zone $binary_remote_addr zone=binary_zone:10m rate=400r/s;

An alternative would be to fully allow all Cloudflare IP addresses. And limit the Non-Cloudflare IP addresses.

Good source:

• NGINX rate limiting doesn't work when using Cloudflare. I can bring down my site with a simple `ab` command

解决方案

You can make use of the ngx_real_ip_module. http://nginx.org/en/docs/http/ngx_http_realip_module.html

With this you can specify the Cloudflare CIDRs to be allowed to override the binary_remote_addr with the value from X-Forwarded-For. Make sure you have this check in place. Config could look like:

set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
real_ip_header X-Forwarded-For;
real_ip_recursive off;

Cloudflare IPs can change, this command will automatically update them into cloudflare_ips.conf:

cat /dev/null > cloudflare_ips.conf && curl -s https://www.cloudflare.com/ips-v4 | while read ip; do echo "set_real_ip_from $ip;" >> cloudflare_ips.conf; done && curl -s https://www.cloudflare.com/ips-v6 | while read ip; do echo "set_real_ip_from $ip;" >> cloudflare_ips.conf; done && printf "real_ip_header X-Forwarded-For;\nreal_ip_recursive off;\n" >> cloudflare_ips.conf

Your rate limit config can use the binary_remote_addr variable. If the client comes via cloudflare, CFs IP will be replaced with the IP from the Header. If the client connects directly the client IP will be used. If a client tries to send a X-Forwarded-For Header that one will not be accepted as the clients IP does not match any CIDR from your cloudflare_ips.conf file.

这篇关于Nginx检查Cloudflare是转发还是直接IP并进行相应限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！