In this article I will be talking about how we can limit our api with nginx, be it GET or POST to prevent Dos or Ddos attacks. In simple words we can limit the http requests a user can make in a certain period of time.
To get started add this line in your configuration -
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
Here we have used the limit_req_zone directive provided by ngx_http_limit_req_module. We will also be using limit_req directive for context.
Key- here $binary_remote_addr holds the binary address of the client's ip.
Zone- it lets you define a space for the incoming requests. Each zone has their own memory given, in our case its 10 megabytes.
Rate- zones are given a rate, all the requests coming to the same zone are counted with the same rate.
Here in this example we have set our rate to 10 requests per second. NGINX considers 600r/m the same as 10r/s. Here one request is made in 0.1 seconds.
Our job is not finished yet. We have just defined a zone with some shared memory and rate. To actually limit the request, we have to apply the limit to a location or server.
location /login/ {
limit_req zone=mylimit;
proxy_pass http://my_upstream;
}
Here we are limiting the location /login/, we gave the zone as “mylimit” which we defined earlier. This limits any requests to 10r/s , everything else will be rejected.
But we can tweak our rates with optional parameters in limit_req directive. Burst and delay.
limit_req zone=mylimit burst=20 nodelay;
Burst defines how many exceeding request you can accept over the base limit. In simple words lets say you define 10r/s but 35 requests are made. That means at first 10 requests will be processed as it is but extra 20 requests will be kept in the queue to be processed further. Hence 10+20 requests will be processed and 5 extra requests will be rejected. Extra requests will take some time to be processed. To remove that extra time we introduce nodelay which tells NGINX to process the extra request like regular requests without any delay.
Here’s an illustration of rate limiting with rate = 5r/s , burst = 12 and delay = 8.
At first 8 requests are proxied and 4 requests are kept in queue and extra 3 requests are rejected.
Top comments (0)