Nginx rate limiting is a powerful feature that allows you to control the number of requests a client can make to your server within a specified period. This is useful for preventing abuse, protecting against DDoS attacks, and ensuring fair usage of resources. In Nginx, rate limiting is typically implemented using the limit_req module. Here is a detailed explanation of Nginx rate limiting:
1.Edit Nginx Configuration File.
Open your Nginx configuration file using a text editor.
[root@siddhesh ~]# vim /etc/nginx/nginx.conf
2. Define a limit_req_zone.
Inside the http context, define a shared memory zone for rate limiting using the limit_req_zone directive. This is where Nginx will store information about clients.
[root@siddhesh ~]# grep limit_req_zone /etc/nginx/nginx.conflimit_req_zone $binary_remote_addr zone=builddevopslimit:20m rate=10r/m;
[root@siddhesh ~]#
Let's break down the components of this configuration,
limit_req_zone: This NGINX directive is used to configure a shared memory zone for rate limiting.
$binary_remote_addr: This is an NGINX variable denoting the binary form of the client's IP address. It's a way of uniquely identifying clients based on their IP addresses.
zone=builddevopslimit:20m: This part defines the rate limiting zone.
builddevopslimit is the name given to the zone.
20m specifies the size of the zone in megabytes. This is the amount of shared memory allocated for storing information about clients and their request rates.
rate=10r/m: This sets the rate at which requests are allowed.
10r/m means that the server will allow up to 10 requests per minute from a single IP address. If the rate exceeds this limit, additional requests will be delayed.
3. Apply Rate Limiting to a Location.
In the location block where you want to apply rate limiting, use the limit_req directive.
server {
listen 8000;
listen [::]:8000;
server_name _;
root /usr/share/nginx/html;
limit_req zone=builddevopslimit;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
limit_req zone=builddevopslimit; This is a rate-limiting directive. It uses the limit_req module to control the request rate. Requests are limited based on the defined zone named builddevopslimit, which should have been configured elsewhere in the NGINX configuration file.
4. Restart Nginx.
After making changes to the configuration, restart Nginx to apply the changes.
[root@siddhesh ~]# systemctl restart nginx
5. Testing.
From the remote server, i.e., 192.168.1.2, run the following bash one-liner to send 20 requests to the server, i.e., 192.168.1.1.
[root@remote ~]# for i in {1..20}; do wget --server-response http://192.168.1.1:8000; done
7. Server Side Log.
As you can see from the nginx access log below, the first 10 requests were successfully processed (Response Code : 200) by the server. However, after that, Nginx restricted access (Response Code : 429) to the remote server as per the rate limit policy.
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:34:50 +0530] "GET / HTTP/1.1" 200 14 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 200 44 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
192.168.1.2 - - [21/Dec/2023:16:35:37 +0530] "GET / HTTP/1.1" 429 169 "-" "Wget/1.14 (linux-gnu)" "-"
Comments