Fix fly.io proxy rate limit to key on real client IP
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 2m24s
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 2m24s
The general rate limit zone used $binary_remote_addr (Fly's internal proxy IP), causing all external clients to share one bucket. Switch to $http_fly_client_ip to match forge_auth's correct behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
40556e5a2d
commit
a75f28e073
2 changed files with 2 additions and 1 deletions
1
docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md
Normal file
1
docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Fix Fly.io proxy rate limiting to key on real client IP instead of Fly's internal proxy IP, so crawlers no longer consume the shared rate limit bucket for all clients.
|
||||||
|
|
@ -27,7 +27,7 @@ http {
|
||||||
access_log /var/log/nginx/access.json.log json_log;
|
access_log /var/log/nginx/access.json.log json_log;
|
||||||
|
|
||||||
# Rate limiting zones — define per-service zones as needed
|
# Rate limiting zones — define per-service zones as needed
|
||||||
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
|
limit_req_zone $http_fly_client_ip zone=general:10m rate=10r/s;
|
||||||
|
|
||||||
# Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
|
# Forge-specific rate limit keyed on real client IP (Fly-Client-IP header).
|
||||||
# $binary_remote_addr is Fly's internal proxy IP — all clients share one
|
# $binary_remote_addr is Fly's internal proxy IP — all clients share one
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue