Link Search Menu Expand Document
Table of contents

Rate limiting

Syntax in http {...}

limit_req_zone $server_name;
    #Rate limit the server name
limit_req_zone $binary_remote_addr;
    #Rate limit the remote address 
limit_req_zone $request_uri zone=ZONE-1:10m rate=60r/m [burst=5]; 

Syntax in server {...}

limit_req zone=ZONE-1 burst=5; 
    #zone=zone-1: give zone a name.
    #burst=5: burst allowance, this can also be inside http{...} config.
    #1r/s + 5 burst = 6 connections, 
    #1 request per second + 5 burst allowance,
    #gives 6 connections, applying burst, will increase the request time. 
limit_req zone=ZONE-1 burst=5 nodelay; 
    #adding [nodelay], check the difference with `siege` command

Verify the rule

Use siege to check the rate limit

siege -v -r 1 -c 6 https://example.com/thumb.png

Sample config

user www-data;
worker_processes auto;

events {
    worker_connections 1024;
}

http {
    include mine.type; 

    #define limit zone 
    limit_req_zone $request_uri zone=MYZONE:10m rate=60r/m; 
    #rate_limit URI, 60 requests per minute (1 req per second); 
    #zone=MYZONE >> give zone name, this to be define on server block: Location {... }

    # redirect all traffic to https
    server {
        listen 80;
        server_name example.com;
        return 301 https://$host$request_uri;
    }

    server {
        server_name example.com;
        root /var/www/example.com;

        location / {
            # add rate limit here 
            limit_req zone=MYZONE burst=5 nodelay; 
            try_files $uri $uri/ =404;
        }

        listen 443 ssl http2;
        ssl_certificate /etc/nginx/ssl/self.crt;
        ssl_certificate_key /etc/nginx/ssl/self.key;

        #define protocol to disable ssl 
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        #optimise cipher suits 
        ssl_prefer_server_ciphers on;
        #suits combination
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; 

        # enable DH parameters, allow server to have secrecy 
        ssl_dhparam /etc/nginx/ssl/dhparam.pem; # need to generate

        # enable HSTS
        add_header Strict-Transport-Security "max-age=31336000" always;

        # Cache SSL sessions 
        ssl_session_cache shared:SSL:40m;
        ssl_session_timeout 4h;
        ssl_session_tickets on;
    }
}