Mastering Nginx Rate Limiting: Essential Techniques and Best Practices |

Mastering Nginx Rate Limiting: Essential Techniques and Best Practices

Posted on Apr 13, 2023

Rate limiting is a technique to control the rate at which clients can make requests to a server, protecting it from excessive traffic, abuse, or denial-of-service attacks. In Nginx, there are two main types of rate limiting:

  1. Connection Limiting (limit_conn): This restricts the number of simultaneous connections allowed from a single IP address. You can use the limit_conn module in Nginx to configure connection limiting.

  2. Request Rate Limiting (limit_req): This restricts the rate at which requests are processed, typically measured in requests per second (RPS). You can use the limit_req module in Nginx to configure request rate limiting.

Here’s how to configure these types of rate limiting in Nginx:

Connection Limiting:

  1. First, define a shared memory zone to store the connection information. Add the following line in the http block of your Nginx configuration file:
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

This will create a shared memory zone called conn_limit with a size of 10 megabytes, using the client’s IP address as the key.

  1. Now, apply the connection limiting to a specific location, server, or the entire server block. For example, you can limit the number of simultaneous connections to 10 for a specific location:
location /example-path/ {
    limit_conn conn_limit 10;
    # other configuration settings
}

Request Rate Limiting:

  1. First, define a shared memory zone to store the rate limiting information. Add the following line in the http block of your Nginx configuration file:
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;

This will create a shared memory zone called req_limit with a size of 10 megabytes, using the client’s IP address as the key, and limiting the request rate to 10 requests per second.

  1. Now, apply the request rate limiting to a specific location, server, or the entire server block. For example, you can limit the request rate for a specific location:
location /example-path/ {
    limit_req zone=req_limit burst=20 nodelay;
    # other configuration settings
}

This configuration allows a burst of 20 requests and applies the limit immediately without delay.

Adjust the connection limits, rate limits, zone sizes, and other parameters as needed for your specific use case. Don’t forget to reload or restart Nginx for the changes to take effect.

There are advanced methods available for rate limiting and traffic control in Nginx. Some of them are:

Token bucket algorithm:

This algorithm can be used with the limit_req directive for more advanced rate limiting. It allows you to control the rate of requests over time by specifying a burst limit and the nodelay option. The burst limit allows short bursts of traffic, while the nodelay option enforces the rate limit immediately, without allowing any bursts.

Limiting by geographic location:

Nginx allows you to limit requests based on the client’s geographic location using the GeoIP module. By combining this information with rate limiting directives, you can create more targeted rate limiting rules.

Example:

Using the geolite2 https://dev.maxmind.com/geoip/geoip2/geolite2/

To use the GeoLite2 database with Nginx, you need to use the ngx_http_geoip2_module. Here’s how to set it up:

  1. Install the required packages:

For Ubuntu/Debian:

sudo apt-get install libnginx-mod-http-geoip2 libmaxminddb-dev mmdb-bin

For CentOS/RHEL: First, enable the EPEL repository:

sudo yum install epel-release

Then, install the required packages:

sudo yum install nginx-mod-http-geoip2 libmaxminddb-devel maxminddb-tools
  1. Download the GeoLite2 Country database:

Visit the GeoLite2 download page (https://dev.maxmind.com/geoip/geoip2/geolite2/) and download the GeoLite2 Country database in the “Binary/mmdb” format. Extract the downloaded archive, and you will find the GeoLite2-Country.mmdb file.

  1. Move the GeoLite2-Country.mmdb file to an appropriate directory, such as /etc/nginx/geoip/.

  2. Update your Nginx configuration to use the GeoLite2 database. Add the following lines in the http block of your Nginx configuration file:

# Load GeoIP2 module (Only required for CentOS/RHEL)
# load_module modules/ngx_http_geoip2_module.so;

http {
    # Configure the GeoIP2 module
    geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb {
        auto_reload 60m;
        $geoip2_data_country_code source=$remote_addr country iso_code;
    }

    # Map country code to rate limit
    map $geoip2_data_country_code $rate_limit {
        default       5r/s;
        US            10r/s;
        GB            8r/s;
    }

    # Create rate limiting zone using the rate_limit variable
    limit_req_zone $binary_remote_addr zone=geo_limit:10m rate=$rate_limit;

    # Server block
    server {
        listen 80;
        server_name example.com;

        # Rate limiting by country code in a specific location
        location /example-path/ {
            limit_req zone=geo_limit burst=20 nodelay;
            # other configuration settings
        }

        # Other locations and configurations
    }
}

This configuration sets different rate limits for clients from the United States, Great Britain, and other countries.

Limiting by user agent: You can also limit requests based on user agent strings, helping you block or limit requests from specific bots or crawlers.

Example:

map $http_user_agent $rate_limit {
    default         5r/s;
    ~*(Googlebot)   10r/s;
}

limit_req_zone $binary_remote_addr zone=ua_limit:10m rate=$rate_limit;

This configuration sets a higher rate limit for Googlebot user agents and a lower limit for others.

To apply this rate limiting configuration to a specific location, server, or the entire server block, use the limit_req directive, like this:

server {
    listen 80;
    server_name example.com;

    # Rate limiting by user agent in a specific location
    location /example-path/ {
        limit_req zone=ua_limit burst=20 nodelay;
        # other configuration settings
    }

    # Other locations and configurations
}

Limiting by request type: You can apply rate limiting only to specific types of requests, such as POST requests, to protect specific resources or endpoints.

Example:

map $request_method $limit_post {
    default 0;
    POST    1;
}

limit_req_zone $binary_remote_addr zone=post_limit:10m rate=5r/s;

location /api/ {
    if ($limit_post) {
        limit_req zone=post_limit;
    }
    # other configuration settings
}

This configuration applies rate limiting only to POST requests in the “/api/” location.

Bandwidth limiting:

You can control the rate at which data is sent to clients using the limit_rate directive. This can help you manage bandwidth consumption and ensure fair distribution of resources among clients.

Example:

location /downloads/ {
    limit_rate 200k;
    # other configuration settings
}

This configuration limits the download rate to 200 kilobytes per second for files in the “/downloads/” location.

These advanced methods can be combined and fine-tuned to achieve a robust rate limiting strategy tailored to your specific needs. Remember to reload or restart Nginx for the changes to take effect.

Other Rate limiting methods

  1. Nginx Plus: Nginx Plus, the commercial version of Nginx, offers additional features such as rate limiting based on the number of requests over a specified time window (e.g., requests per minute) and the ability to share rate limiting state across a cluster of Nginx instances.

  2. Lua module: You can use the ngx_http_lua_module to create custom rate-limiting algorithms using Lua scripts. This module allows you to embed Lua code directly into your Nginx configuration and offers flexibility in designing your rate-limiting strategy. However, it requires knowledge of Lua programming and familiarity with the module’s API.

  3. External tools and services: You can integrate Nginx with external tools and services such as Redis, which can act as a distributed rate-limiting store. This approach can help you implement more advanced rate-limiting algorithms and provide a more scalable solution for large-scale deployments.

  4. Third-party modules: There are several third-party modules available that can help you extend Nginx’s rate-limiting capabilities. Some of these modules may offer different algorithms or additional features. However, using third-party modules might require additional configuration and maintenance, as they may not be officially supported by Nginx.

  5. Custom modules: If you have specific requirements that cannot be met using existing modules or third-party solutions, you can develop your custom Nginx module to implement the desired rate-limiting algorithm. This approach requires a deep understanding of Nginx internals and C programming, as Nginx modules are typically written in C.

When implementing advanced rate-limiting algorithms, it’s crucial to consider the potential impact on performance, as complex algorithms may introduce additional latency and consume more resources. It’s also essential to thoroughly test your rate-limiting strategy to ensure it effectively mitigates the risks associated with high traffic volume, abuse, or denial-of-service attacks.

Don’t forget to reload or restart Nginx for the changes to take effect.