Table of contents
Rate limiting
Syntax in http {...}
limit_req_zone $server_name;
#Rate limit the server name
limit_req_zone $binary_remote_addr;
#Rate limit the remote address
limit_req_zone $request_uri zone=ZONE-1:10m rate=60r/m [burst=5];
Syntax in server {...}
limit_req zone=ZONE-1 burst=5;
#zone=zone-1: give zone a name.
#burst=5: burst allowance, this can also be inside http{...} config.
#1r/s + 5 burst = 6 connections,
#1 request per second + 5 burst allowance,
#gives 6 connections, applying burst, will increase the request time.
limit_req zone=ZONE-1 burst=5 nodelay;
#adding [nodelay], check the difference with `siege` command
Verify the rule
Use
siege
to check the rate limit
siege -v -r 1 -c 6 https://example.com/thumb.png
Sample config
user www-data;
worker_processes auto;
events {
worker_connections 1024;
}
http {
include mine.type;
#define limit zone
limit_req_zone $request_uri zone=MYZONE:10m rate=60r/m;
#rate_limit URI, 60 requests per minute (1 req per second);
#zone=MYZONE >> give zone name, this to be define on server block: Location {... }
# redirect all traffic to https
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
server_name example.com;
root /var/www/example.com;
location / {
# add rate limit here
limit_req zone=MYZONE burst=5 nodelay;
try_files $uri $uri/ =404;
}
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/self.crt;
ssl_certificate_key /etc/nginx/ssl/self.key;
#define protocol to disable ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#optimise cipher suits
ssl_prefer_server_ciphers on;
#suits combination
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
# enable DH parameters, allow server to have secrecy
ssl_dhparam /etc/nginx/ssl/dhparam.pem; # need to generate
# enable HSTS
add_header Strict-Transport-Security "max-age=31336000" always;
# Cache SSL sessions
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 4h;
ssl_session_tickets on;
}
}