Fix fly.io proxy rate limit to key on real client IP
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 2m24s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 2m24s
The general rate limit zone used $binary_remote_addr (Fly's internal proxy IP), causing all external clients to share one bucket. Switch to $http_fly_client_ip to match forge_auth's correct behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
40556e5a2d
commit
a75f28e073
2 changed files with 2 additions and 1 deletions
|
|
@ -27,7 +27,7 @@ http {
|
|||
access_log /var/log/nginx/access.json.log json_log;
|
||||
|
||||
# Rate limiting zones — define per-service zones as needed
|
||||
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
|
||||
limit_req_zone $http_fly_client_ip zone=general:10m rate=10r/s;
|
||||
|
||||
# Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
|
||||
# $binary_remote_addr is Fly's internal proxy IP — all clients share one
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue