patternnginxnginxMajorpending
Nginx Rate Limiting and Request Throttling
Viewed 0 times
nginxrate limitingthrottlingburstlimit_req429brute force
Problem
API endpoints are vulnerable to abuse, brute force attacks, and traffic spikes. Need to throttle requests per client without application-level changes.
Solution
Nginx rate limiting configuration:
Headers to send back:
# Define rate limit zones (in http block)
http {
# 10 requests/second per IP, 10MB zone for tracking
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
# Stricter for login endpoints
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
# Per API key rate limiting
map $http_x_api_key $api_key {
default $binary_remote_addr;
~.+ $http_x_api_key;
}
limit_req_zone $api_key zone=api_key:10m rate=100r/s;
# Custom error response
limit_req_status 429;
server {
# API with burst allowance
location /api/ {
limit_req zone=api burst=20 nodelay;
# burst=20: allow 20 extra requests (queued)
# nodelay: don't delay burst requests
proxy_pass http://backend;
}
# Strict login rate limiting
location /api/login {
limit_req zone=login burst=5;
# No nodelay = excess requests are delayed
proxy_pass http://backend;
}
# Connection limiting (concurrent connections)
limit_conn_zone $binary_remote_addr zone=conn:10m;
location /downloads/ {
limit_conn conn 5; # Max 5 concurrent connections per IP
limit_rate 1m; # 1MB/s per connection
}
}
}Headers to send back:
add_header X-RateLimit-Limit 10;
add_header X-RateLimit-Remaining $limit_req_remaining;
add_header Retry-After 60;Why
Rate limiting at the reverse proxy layer protects all backend services uniformly. It's more efficient than application-level rate limiting because requests are rejected before reaching your app.
Gotchas
- $binary_remote_addr uses 4 bytes per IPv4 - much more efficient than $remote_addr (7-15 bytes)
- Behind a load balancer, use $http_x_forwarded_for instead of $binary_remote_addr
Context
Protecting APIs from abuse and traffic spikes
Revisions (0)
No revisions yet.