3

This answer is perfect dealing with bypassing rate limiting with IP addresses.

If I need to bypass rate limiting with a secret header, how do I achieve this?

Ref:

http {
    geo $whitelist {
       default 0;
       # CIDR in the list below are not limited
       1.2.3.0/24 1;
       9.10.11.12/32 1;
       127.0.0.1/32 1;
    }
    map $whitelist $limit {
        0     $binary_remote_addr;
        1     "";
    }
    limit_conn_zone      $limit    zone=connlimit:10m;

    limit_conn           connlimit 5;
    limit_conn_log_level warn;   # logging level when threshold exceeded
    limit_conn_status    503;    # the error code to return
Quintin Par
  • 4,293
  • 10
  • 46
  • 72
  • I'm curious why you want to do this. Perhaps you could edit your question to give more context, as someone may come up with a solution that's easier to implement. – Tim Aug 21 '17 at 22:54
  • @Tim, how exactly could this get any easier?! – cnst Aug 22 '17 at 06:34
  • Your implementation doesn't seem difficult, but I didn't see it before I commented. An alternative approach that avoided needing to write and maintain the configuration, and write the code to set headers, could be preferable. Considering the bigger picture rarely hurts. – Tim Aug 22 '17 at 08:06

2 Answers2

6

The usual reason for these questions is that most of these directives cannot be used from within the context of the if statement, hence, how would one be able to conditionally specify different limits?

The answer is to use intermediate variables — just as in the linked answer, use set the limits using variables, where, subsequently, the values of those variables would differ depending on a map or an if statement.

http {
    map $http_x_secret_header $limit {
        default      $binary_remote_addr;
        secretvalue  "";
    }
    limit_conn_zone      $limit    zone=connlimit:10m;
    …

Ref:

cnst
  • 12,948
  • 7
  • 51
  • 75
  • Will “” for $limit create an empty key or no key? – Quintin Par Aug 22 '17 at 06:02
  • 1
    As per the linked documentation, *"Requests with an empty key value are not accounted."*. (It's the exact same rationale/code as in the answer you link.) – cnst Aug 22 '17 at 06:11
  • Does nginx strip preceding and trailing spaces for the "secretvalue". E.g. curl -H "my_secret_header: true " – Quintin Par Aug 22 '17 at 18:06
  • @QuintinPar, yes, nginx is compliant with http://tools.ietf.org/html/rfc7230#section-3.2, and `OWS` is stripped out. – cnst Aug 23 '17 at 07:15
6

FWIIW, I've also looked at the other "weird" answer to the question you link — it was written in 2011, had only 3 upvotes earlier today in 2017, compared to 23 upvotes for the more recent answer circa 2014 that you quote. Perhaps somewhat surprisingly, the older ignored answer does actually work without any issues as well!

Here's my take at the full MVP config, fully tested:

server {
    listen 7461;
    error_page 429 = @slowdown;
    if ($http_x_secret_header != secret_value) {
        return 429;
    }
    location @slowdown {
        #limit_...
        return 200 "$uri: slowed down\n";
    }
    location / {
        return 200 "$uri: very fast\n";
    }
}

Here's the testing to show you that it all works, including the fact that the correct 200 OK code is returned:

%curl -H "X-Secret-Header: secret_value" localhost:7461/important/path/
/important/path/: very fast

%curl -H "X-Secret-Header: wrong_value" localhost:7461/important/path/
/important/path/: slowed down

%curl -v localhost:7461/important/path/ | & fgrep -e HTTP/ -e /important
> GET /important/path/ HTTP/1.1
< HTTP/1.1 200 OK
/important/path/: slowed down
%

So, yes, the error_page redirection does actually work, too!


Let me explain the rationale for the weird error_page answer — in nginx, you can do both external redirects (visible to the client), as well as internal redirects (done internally, without any intermediate replies to the client).

This internal vs. external difference is a very powerful concept, without which many cool tricks wouldn't be possible, since the configuration language is simple enough to limit the number of directives available from within an if statement, as well as not allow nested if statements.

So, instead, with the internal redirects, the $uri can be changed internally, causing your request to bounce around between multiple independent locations (think of each location as a state in a DFA (deterministic finite automaton)), until a desired result is achieved (for an extreme example of this, take a look at http://mdoc.su/, as seen at nginx.conf 2016).


To summarise, in the example above:

  • we repurpose the 429 error_page to act as an internal redirect to an internal location, and then process such internal location in the very same way as a non-internal location would have been processed, except for the addition of some additional variables or directives;

  • we also use the = parameter to error_page directive to instruct nginx to not actually send the 429 code back to the client, but instead let the further processing dictate what the final status code should be.

cnst
  • 12,948
  • 7
  • 51
  • 75