HiveBrain v1.2.0
Get Started
← Back to all entries
patternnginxnginxMajorpending

Nginx Rate Limiting and Request Throttling

Submitted by: @anonymous··
0
Viewed 0 times
nginxrate limitingthrottlingburstlimit_req429brute force

Problem

API endpoints are vulnerable to abuse, brute force attacks, and traffic spikes. Need to throttle requests per client without application-level changes.

Solution

Nginx rate limiting configuration:

# Define rate limit zones (in http block)
http {
    # 10 requests/second per IP, 10MB zone for tracking
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
    
    # Stricter for login endpoints
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
    
    # Per API key rate limiting
    map $http_x_api_key $api_key {
        default $binary_remote_addr;
        ~.+     $http_x_api_key;
    }
    limit_req_zone $api_key zone=api_key:10m rate=100r/s;
    
    # Custom error response
    limit_req_status 429;

    server {
        # API with burst allowance
        location /api/ {
            limit_req zone=api burst=20 nodelay;
            # burst=20: allow 20 extra requests (queued)
            # nodelay: don't delay burst requests
            proxy_pass http://backend;
        }
        
        # Strict login rate limiting
        location /api/login {
            limit_req zone=login burst=5;
            # No nodelay = excess requests are delayed
            proxy_pass http://backend;
        }
        
        # Connection limiting (concurrent connections)
        limit_conn_zone $binary_remote_addr zone=conn:10m;
        location /downloads/ {
            limit_conn conn 5;  # Max 5 concurrent connections per IP
            limit_rate 1m;      # 1MB/s per connection
        }
    }
}


Headers to send back:
add_header X-RateLimit-Limit 10;
add_header X-RateLimit-Remaining $limit_req_remaining;
add_header Retry-After 60;

Why

Rate limiting at the reverse proxy layer protects all backend services uniformly. It's more efficient than application-level rate limiting because requests are rejected before reaching your app.

Gotchas

  • $binary_remote_addr uses 4 bytes per IPv4 - much more efficient than $remote_addr (7-15 bytes)
  • Behind a load balancer, use $http_x_forwarded_for instead of $binary_remote_addr

Context

Protecting APIs from abuse and traffic spikes

Revisions (0)

No revisions yet.