Conditional Limit Req
Contents |
Conditional Limit Request Module
Synopsis
SEnginx enhanced limit_req module is based on tengine's version of nginx's limit_req module. SEnginx limit_req module improves orginal nginx's limit_req with forbid_action, apply conditions and IP whitelist.
SEnginx adds a new condition parameter which accepts a variable and only run limit_req when the variable's value is true. Enhanced limit_req module can be uses along with HTTP Robot Mitigation and IP Access Behavior Module to get more strategies on request limitation and anti ddos protection.
This feature is availiable since version 1.5.10.
Directives
limit_req
| Syntax | limit_req zone=zone_name [burst=burst] [forbid_action=action] [nodelay] [condition=$cond]; |
| Context | http, server, location |
New "forbid_action" parameter specifies the action URL to redirect if rate is over zone limit. Forbid_action can be a named location.
If new "condition" parameter is true the limit_req limiting rule is active. Otherwise the rule is not applied.
limit_req_whitelist
| Syntax | limit_req_whitelist geo_var_name=var_name geo_var_value=var_value; |
| Context | http, server, location |
Defines the whitelist to bypass the limit_req.
The 'geo_var_name' is the variable name declared in the geo module, 'geo_var_value' is its value. For example:
geo $local_ip {
ranges;
default 0;
127.0.0.1-127.0.0.255 1;
}
limit_req_whitelist geo_var_name=local_ip geo_var_value=1;
Configuration Example
Apply request limitation for sensitive resource.
Read more: IP Access Behavior Module
limit_req_zone $binary_remote_addr $request_uri zone=cc:10m rate=3r/s;
...
location ~ /bbs/.*\.php {
ip_behavior_sensitive;
set $cond 0;
ifall ($insensitive_percent >= 0) ($insensitive_percent <= 30) {
set $cond 1;
}
limit_req zone=cc burst=3 forbid_action=@process condition=$cond;
proxy_pass http://backend;
}
location @process {
ns_layer_force_run;
robot_mitigation on;
robot_mitigation_blacklist 5;
proxy_pass http://backend;
}
