Nginx Rate Limiting count for a whole subnet, not just per IP

4
votes

I have a defined zone in Nginx for limiting requests, it's plain straight forward as described in their documentation:

limit_req_zone $binary_remote_addr zone=leash:10m rate=18r/s;

So far so good.

It works great with clients who act offensively, but recently some of them have started rotating their IP addresses while accessing my service, mostly within a /24 range, so I was wondering is it possibble to apply the zone connection count limit to a whole IP range (not just per IP), something like a --connlimit-mask 24 flag would do with iptables...?

2
nginxrate-limiting

2 Answers

2
votes

The easiest way would be a nginx combo of map and geo directives which would also give you the most flexibility, IMHO.

geo $geoRateBlacklist {
    default        0;
    192.0.0.0/24   1;
    10.0.0.0/24    1;
    172.0.0.0/24   1;
}

map $geoRateBlacklist $rateBlacklist {
    1              $binary_remote_addr;
    0              "";
}

limit_req_zone $rateBlacklist zone=leash:10m rate=18r/s;

Quickly done from memory but should work.

0
votes

It is possible to use the map directive with regex to extract the subnet for $binary_remote_addr. For example, for a slash 16 subnet:

map $binary_remote_addr $bin_slash16 {
"~^(?P<a>..)..$" "$a";
}

Source: https://forum.nginx.org/read.php?2,271483,271788#msg-271788