I’m trying to configure fail2ban to block ddos attacks using the chunk shown here.
Basically it looks at all requests and if any single IP makes more than 240 requests over 60 seconds it blocks them for two days.
However all the logs in my nginx access are from 127.0.0.1 which makes the whole thing pointless.
What could cause nginx to log all traffic as coming from the server?
(I’m running Drupal on a LEMP stack with perusio’s nginx config.)
Since you have varnish in front of nginx, it thinks all the requests are coming from 127.0.0.1, since technically they are.
To resolve this, use the nginx real ip module to pick the client’s IP address out of the
X-Forwarded-For header, which Varnish automatically adds to requests (unless you told it not to).
An example nginx configuration would be:
set_real_ip_from 127.0.0.1; real_ip_header X-Forwarded-For;
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.