snippetModeratepending
Nginx rate limiting configuration — protecting APIs from abuse
Viewed 0 times
limit_req_zonelimit_conn_zoneburstnodelayrate limit nginx
linux
Problem
Need to rate limit API endpoints at the nginx level to prevent abuse, brute force attacks, and traffic spikes from overwhelming the backend.
Solution
Nginx rate limiting with limit_req_zone for request rate and limit_conn_zone for concurrent connections. Supports bursting and different limits per endpoint.
Code Snippets
Rate limiting with burst, auth-specific limits, and connection limits
# In http block: define rate limit zones
http {
# 10 requests/second per IP
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
# 2 requests/second for auth endpoints
limit_req_zone $binary_remote_addr zone=auth:10m rate=2r/s;
# Max 20 concurrent connections per IP
limit_conn_zone $binary_remote_addr zone=conn:10m;
# Custom error page for rate limited requests
limit_req_status 429;
limit_conn_status 429;
server {
# General API: 10r/s with burst of 20
location /api/ {
limit_req zone=api burst=20 nodelay;
limit_conn conn 20;
proxy_pass http://backend;
}
# Auth endpoints: stricter limits
location /api/auth/ {
limit_req zone=auth burst=5 nodelay;
proxy_pass http://backend;
}
# Static assets: no rate limit
location /static/ {
expires 30d;
add_header Cache-Control "public, immutable";
}
}
}
# burst=20 allows 20 extra requests to queue
# nodelay processes burst immediately instead of queuing
# 10m = 10MB shared memory (~160,000 IP addresses)Revisions (0)
No revisions yet.