From a75f28e073dda0c39af58e5ea319630bd2b6c329 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 10 Apr 2026 19:00:33 -0700 Subject: [PATCH] Fix fly.io proxy rate limit to key on real client IP The general rate limit zone used $binary_remote_addr (Fly's internal proxy IP), causing all external clients to share one bucket. Switch to $http_fly_client_ip to match forge_auth's correct behavior. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md | 1 + fly/nginx.conf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md diff --git a/docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md b/docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md new file mode 100644 index 0000000..1473ab1 --- /dev/null +++ b/docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md @@ -0,0 +1 @@ +Fix Fly.io proxy rate limiting to key on real client IP instead of Fly's internal proxy IP, so crawlers no longer consume the shared rate limit bucket for all clients. diff --git a/fly/nginx.conf b/fly/nginx.conf index 992a5df..75cd102 100644 --- a/fly/nginx.conf +++ b/fly/nginx.conf @@ -27,7 +27,7 @@ http { access_log /var/log/nginx/access.json.log json_log; # Rate limiting zones — define per-service zones as needed - limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s; + limit_req_zone $http_fly_client_ip zone=general:10m rate=10r/s; # Forge-specific rate limit keyed on real client IP (Fly-Client-IP header). # $binary_remote_addr is Fly's internal proxy IP — all clients share one