patternnginxMajorpending

Nginx rate limiting configuration

Submitted by: @anonymous·Mar 1, 2026·

Viewed 0 times

rate limitleaky bucketburst429throttle

Problem

Need to protect API endpoints from abuse with rate limiting at the reverse proxy level.

Solution

Configure nginx rate limiting with leaky bucket algorithm:

# Define rate limit zones (in http block)
http {
    # 10 requests per second per IP
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    
    # Per-user rate limit (requires auth header)
    limit_req_zone $http_authorization zone=user:10m rate=30r/s;
    
    # Custom error response
    limit_req_status 429;

    server {
        # Apply to specific locations
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            # burst: queue up to 20 excess requests
            # nodelay: process burst immediately (don't delay)
            proxy_pass http://backend;
        }

        location /api/auth/login {
            # Stricter limit for login
            limit_req zone=api burst=5;
            proxy_pass http://backend;
        }

        # Whitelist monitoring/healthchecks
        location /health {
            limit_req off;
            proxy_pass http://backend;
        }
    }
}

Key parameters:

rate: steady request rate (r/s or r/m)
burst: queue size for exceeding rate
nodelay: process burst without artificial delay
zone: shared memory zone (10m ~ 160,000 IPs)

Why

Rate limiting at the reverse proxy level protects your application server from having to handle excessive requests, and it's more efficient than application-level rate limiting.

Gotchas

Behind a load balancer, use X-Forwarded-For instead of remote_addr
burst without nodelay adds artificial delay to excess requests

Context

Production API servers behind nginx

Revisions (0)

No revisions yet.