How does Nginx implement rate limiting? What are the rate limiting strategies?
Nginx provides powerful rate limiting functionality that can effectively prevent DDoS attacks, protect server resources, and prevent malicious requests. Nginx's rate limiting is mainly implemented through the limit_req and limit_conn modules.
Request Rate Limiting (limit_req):
http { # Define rate limiting zone based on client IP limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; # Define rate limiting zone based on request URI limit_req_zone $request_uri zone=uri:10m rate=5r/s; # Define rate limiting zone based on server name limit_req_zone $server_name zone=server:10m rate=100r/s; server { listen 80; server_name example.com; # Apply rate limiting location / { limit_req zone=one burst=20 nodelay; proxy_pass http://backend; } # API endpoint rate limiting location /api/ { limit_req zone=one burst=10 nodelay; limit_req_status 429; proxy_pass http://api_backend; } } }
Parameter Explanation:
-
limit_req_zone: Define rate limiting zone
$binary_remote_addr: Client IP address (binary format, saves memory)zone=one:10m: Zone name and shared memory size (10M can store about 160,000 IPs)rate=10r/s: Allow 10 requests per second
-
limit_req: Apply rate limiting rule
zone=one: Rate limiting zone to useburst=20: Allowed burst request countnodelay: Don't delay processing burst requests
-
limit_req_status: Status code returned when limit is exceeded (default 503)
Connection Limiting (limit_conn):
http { # Define connection limiting zone limit_conn_zone $binary_remote_addr zone=addr:10m; # Define server connection limiting zone limit_conn_zone $server_name zone=server:10m; server { listen 80; server_name example.com; # Limit concurrent connections per IP limit_conn addr 10; # Limit total server connections limit_conn server 1000; location / { proxy_pass http://backend; } } }
Bandwidth Limiting:
server { listen 80; server_name example.com; location /download/ { # Limit download speed to 1MB/s limit_rate 1m; # No limit for first 10MB limit_rate_after 10m; root /var/www/files; } }
Comprehensive Rate Limiting Configuration:
http { # Request rate limiting limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; limit_req_zone $request_uri zone=uri_limit:10m rate=5r/s; # Connection limiting limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # Status code limiting limit_req_status 429; limit_conn_status 429; server { listen 80; server_name example.com; # Global connection limit limit_conn conn_limit 10; # Homepage rate limiting location = / { limit_req zone=req_limit burst=20 nodelay; proxy_pass http://backend; } # API endpoint strict rate limiting location /api/ { limit_req zone=req_limit burst=5 nodelay; limit_req zone=uri_limit burst=2 nodelay; proxy_pass http://api_backend; } # Download rate limiting location /download/ { limit_rate 1m; limit_rate_after 10m; root /var/www/files; } # Static resources no rate limiting location ~* \.(css|js|jpg|jpeg|png|gif|ico|svg|woff|woff2)$ { root /var/www/static; } } }
Whitelist Configuration:
http { # Define rate limiting zone limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; # Define whitelist geo $limit_key { default $binary_remote_addr; 192.168.1.0/24 ""; 10.0.0.0/8 ""; } # Rate limiting based on whitelist limit_req_zone $limit_key zone=whitelist_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=whitelist_limit burst=20 nodelay; proxy_pass http://backend; } } }
Dynamic Rate Limiting:
http { # Rate limiting based on request method map $request_method $limit_key { default $binary_remote_addr; GET ""; HEAD ""; } limit_req_zone $limit_key zone=dynamic_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=dynamic_limit burst=20 nodelay; proxy_pass http://backend; } } }
Rate Limiting Logging:
http { # Custom log format with rate limiting information log_format limit '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time limit=$limit_req_status'; access_log /var/log/nginx/access.log limit; # Rate limiting zone limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s; server { listen 80; server_name example.com; location / { limit_req zone=req_limit burst=20 nodelay; limit_req_log_level warn; proxy_pass http://backend; } } }
Rate Limiting Strategy Selection:
- Fixed window rate limiting:
rate=10r/s, fixed number of requests per second - Sliding window rate limiting: Implemented through burst parameter
- Token bucket algorithm: Nginx default, allows burst traffic
- Leaky bucket algorithm: Controlled through nodelay parameter
Practical Use Cases:
1. API Endpoint Rate Limiting:
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/min; location /api/ { limit_req zone=api_limit burst=10 nodelay; limit_req_status 429; add_header X-RateLimit-Limit "100"; add_header X-RateLimit-Remaining "90"; add_header X-RateLimit-Reset "60"; proxy_pass http://api_backend; }
2. Login Endpoint Rate Limiting:
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/min; location /login { limit_req zone=login_limit burst=2 nodelay; limit_req_status 429; proxy_pass http://auth_backend; }
3. File Download Rate Limiting:
location /download/ { limit_rate 500k; limit_rate_after 5m; root /var/www/files; }
4. Prevent Brute Force Attacks:
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=3r/min; location ~* ^/(login|register|reset-password) { limit_req zone=auth_limit burst=1 nodelay; limit_req_status 429; proxy_pass http://auth_backend; }
Monitoring and Debugging:
# Enable rate limiting status monitoring location /limit_status { limit_req_status 429; add_header Content-Type text/plain; return 200 "Rate limit status: $limit_req_status"; } # View rate limiting statistics location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; }
Best Practices:
- Set reasonable rates: Set appropriate rate limiting based on business requirements
- Use burst: Allow a certain degree of burst traffic
- Return friendly errors: Set 429 status code, return friendly prompts
- Whitelist mechanism: Release rate limiting for trusted IPs
- Monitor rate limiting effects: Regularly check rate limiting logs, adjust strategies
- Layered rate limiting: Set different rate limiting strategies for different endpoints
- Combine with caching: Use caching for static resources to reduce rate limiting pressure
Performance Considerations:
- Shared memory size: Reasonably set zone size based on IP count
- Rate limiting granularity: Choose appropriate rate limiting key (IP, URI, etc.)
- Log level: Use warn level in production to reduce log volume
- nodelay usage: Choose whether to use nodelay based on scenario