Mastering Nginx Rate Limiting: From Basics to Advanced Configurations
This article explains how Nginx rate limiting works, covering the leaky‑bucket algorithm, basic and advanced configurations such as burst and nodelay parameters, whitelist handling, multiple limits, logging, custom status codes, and how to deny all requests for a location.
Nginx Rate Limiting Overview
Rate limiting (rate‑limiting) in Nginx allows you to restrict the number of HTTP requests a client can make within a given time window. It can be used for security (slow down brute‑force attacks, mitigate DDoS) or to protect upstream services from overload.
How Nginx Implements Rate Limiting
Nginx uses the leaky‑bucket algorithm. Requests arrive like water poured into a bucket; the bucket leaks at a constant rate. If the incoming rate exceeds the leak rate, excess requests are dropped.
Basic Configuration
The two main directives are limit_req_zone and limit_req. Example:
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
server {
location /login/ {
limit_req zone=mylimit;
proxy_pass http://my_upstream;
}
}limit_req_zonedefines the shared memory zone, key, and rate. limit_req activates the limit in a specific context.
Key – the variable used to identify a client (e.g., $binary_remote_addr).
Zone – shared memory area that stores state for each key.
Rate – maximum request rate (e.g., 10 requests per second, tracked in 100 ms granularity).
If the zone runs out of space, Nginx removes old entries and may return 503.
Handling Bursts
To allow short spikes, add the burst parameter:
location /login/ {
limit_req zone=mylimit burst=20;
proxy_pass http://my_upstream;
}When 21 requests arrive within 100 ms, the first is processed immediately and the remaining 20 are queued. Each 100 ms the queue releases one request; excess requests beyond the burst size receive 503.
Zero‑Delay Queuing
Adding nodelay makes queued requests forward immediately if a slot is available, without waiting for the regular rate interval.
location /login/ {
limit_req zone=mylimit burst=20 nodelay;
proxy_pass http://my_upstream;
}Advanced Example – Whitelist
Combine geo and map to exempt certain IP ranges from rate limiting:
geo $limit {
default 1;
10.0.0.0/8 0;
192.168.0.0/24 0;
}
map $limit $limit_key {
0 "";
1 $binary_remote_addr;
}
limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
server {
location / {
limit_req zone=req_zone burst=10 nodelay;
}
}Clients in the whitelist receive an empty key, so no limit is applied; all others are limited to 5 r/s.
Multiple Limits in One Location
When several limit_req directives match, the strictest limit wins. Example with separate zones for normal and whitelisted traffic.
Logging and Status Codes
By default Nginx logs limited requests at the error level. Use limit_req_log_level to change it, and limit_req_status to customize the response code (e.g., 444).
location /login/ {
limit_req zone=mylimit burst=20 nodelay;
limit_req_log_level warn;
limit_req_status 444;
proxy_pass http://my_upstream;
}Deny All Requests
To block a URL completely, use deny all inside the location block.
location /foo.php {
deny all;
}Summary
The article covered Nginx and Nginx Plus rate‑limiting features, including basic and advanced configurations, burst and nodelay handling, whitelist/blacklist setups, logging, custom status codes, and how to deny all requests for a location.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Interview Crash Guide
Dedicated to sharing Java interview Q&A; follow and reply "java" to receive a free premium Java interview guide.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.