Rate Limiting in Nginx

Learn and community

Check out our wide range of our courses.
We have a Discord community where you can ask questions and get help from the community.

Adding Rate Limiting to the Server

Nginx provides a simple way to add rate limiting using the limit_req_zone and limit_req directives.

1. Edit the main configuration file to define a rate limit zone:

   sudo nano /etc/nginx/nginx.conf

2. Add the following to the http block:

   http {
       limit_req_zone $binary_remote_addr zone=mylimit:10m rate=2r/s;
   
       ...
   }

   The directive limit_req_zone is used in Nginx to define a shared memory zone that will be used to store the state of rate limits for incoming requests. Here’s a breakdown of the specific directive you provided:

   limit_req_zone $binary_remote_addr zone=mylimit:10m rate=2r/s;

   • $binary_remote_addr: This is a variable that holds the client’s IP address in a binary format. Using the binary format saves memory, which is important when dealing with large numbers of requests.

   • zone=mylimit:10m: This specifies the name and size of the shared memory zone used to store the state of rate limits.

   • mylimit is the name of the zone.

   • 10m means that the size of the zone is 10 megabytes. This size dictates how many IP addresses and their request states can be stored in memory. A 10MB zone can typically store about 160,000 states (given that each state takes about 64 bytes).

   • rate=2r/s: This sets the request rate limit.

   • 2r/s means that each IP address is allowed to make 2 requests per second.

   When you configure limit_req_zone in your Nginx configuration, it sets up a system to control how many requests a client can make to your server in a given time frame. This can help protect your server from being overwhelmed by too many requests from a single client, which can be a form of denial-of-service attack.

3. Edit your server block configuration to apply the rate limit:

   sudo nano /etc/nginx/sites-available/default

4. Add the following inside the server block:

   server {
       ...
   
       location / {
           limit_req zone=mylimit burst=20 nodelay;
           try_files $uri $uri/ =404;
       }
   
       ...
   }

   • limit_req zone=mylimit burst=20 nodelay;: This applies the rate limiting defined by the mylimit zone.
   • burst=20 allows a burst of up to 20 requests beyond the defined rate. So, even if the rate limit is set to 2 requests per second, the burst allows up to 20 requests to be made in a second. The requests exceeding the rate limit will be rejected immediately.
   • nodelay means that requests that exceed the rate limit should be rejected immediately rather than delayed.

5. Test and reload Nginx:

   sudo nginx -t
   sudo systemctl reload nginx