Forum Discussion

devthedev's avatar
devthedev
Icon for Nimbostratus rankNimbostratus
Sep 14, 2022

Rate limiting on NGINX

We are using NGINX as a proxy server+load balancer for other servers on the same network that use Apache.

For security, we want to apply a rate limiting per IP, so that if there are more than 100 requests in a second, or even more than 100 requests for the same page in a short period of time, the source IP will be blocked for a while.

Another idea we had was if the IP triggers more than 100 requests in which all of them returned a 404, 403 or 500 code in a small amount of time, the IP would also be blocked.

Using Apache logs + fail2ban and mod_evasive, we were able to do something very similar.
But with Nginx we couldn't, we tried to apply a basic rule of rate limit, but before reaching the limit we already have blocking errors.

We use the settings below to configure this block when the user reaches the limit.

limit_req_zone $binary_remote_addr zone=one:10m rate=200r/s;
limit_req zone=one burst=20;

It so happens that even if a user makes 97 AJAX requests on the first access, Nginx blocks these requests, as shown in the log below:

2022/07/19 11:10:37 [error] 8494#8494: *1698 limiting requests, excess: 20.600 by zone "one", client: [USER-IP], server: example.com, request: "GET /views/components/page-1.html HTTP/1.1", host: "example.com", referrer: "https://example.com/dash.html"
2022/07/19 11:10:37 [error] 8495#8495: *1699 limiting requests, excess: 20.600 by zone "one", client: [USER-IP], server: example.com, request: "GET /views/components/page-2.html HTTP/1.1", host: "example.com", referrer: "https://example.com/dash.html"
2022/07/19 11:10:37 [error] 8495#8495: *1702 limiting requests, excess: 20.800 by zone "one", client: [USER-IP], server: example.com, request: "GET /views/components/page-3.html HTTP/1.1", host: "example.com", referrer: "https://example.com/dash.html"

How can we make these settings on our NGINX server?

 

2 Replies

  • have you tried increasing your burst and adding nodelay? Burst is an absolute value, not a rate, btw.

    • Came here to say the same, your config looks correct. Except - why is burst smaller than rate? Should be the other way to allow burts.