In the example, we are rate limiting requests to /login/. For that you need to apply the limit to a specific location or server block by including a limit_req directive there.
The limit_req_zone directive sets the parameters for rate limiting and the shared memory zone, but it does not actually limit the request rate. Because we are not allowing for bursts (see the next section), this means that a request is rejected if it arrives less than 100ms after the previous permitted one. NGINX actually tracks requests at millisecond granularity, so this limit corresponds to 1 request every 100 milliseconds (ms). In the example, the rate cannot exceed 10 requests per second. Additionally, to prevent memory from being exhausted, every time NGINX creates a new entry it removes up to two entries that have not been used in the previous 60 seconds.
If the space freed is still not enough to accommodate the new record, NGINX returns status code 503 (Service Temporarily Unavailable). If storage is exhausted when NGINX needs to add a new entry, it removes the oldest entry.
State information for about 16,000 IP addresses takes 1 megabyte, so our zone can store about 160,000 addresses. The definition has two parts: the zone name identified by the zone= keyword, and the size following the colon. Keeping the information in shared memory means it can be shared among the NGINX worker processes. Zone – Defines the shared memory zone used to store the state of each IP address and how often it has accessed a request‑limited URL. (We’re using this variable because it takes up less space than the string representation of a client IP address, $remote_addr).
This means we are limiting each unique IP address to the request rate defined by the third parameter. In the example it is the NGINX variable $binary_remote_addr, which holds a binary representation of a client’s IP address. Key – Defines the request characteristic against which the limit is applied. The limit_req_zone directive is typically defined in the http block, making it available for use in multiple contexts. The limit_req_zone directive defines the parameters for rate limiting while limit_req enables rate limiting within the context where it appears (in the example, for all requests to /login/). Rate limiting is configured with two main directives, limit_req_zone and limit_req, as in this example: limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s The leaking water represents requests exiting the buffer for processing by the server, and the overflow represents requests that are discarded and never serviced. In terms of request processing, the water represents requests from clients, and the bucket represents a queue where requests wait to be processed according to a first‑in‑first‑out (FIFO) scheduling algorithm. The analogy is with a bucket where water is poured in at the top and leaks from the bottom if the rate at which water is poured in exceeds the rate at which it leaks, the bucket overflows. NGINX rate limiting uses the leaky bucket algorithm, which is widely used in telecommunications and packet‑switched computer networks to deal with burstiness when bandwidth is limited. (State sharing in a cluster is available for other NGINX Plus features as well.) For details, see our blog and the NGINX Plus Admin Guide.
NGINX Plus R16 and later support “global rate limiting”: the NGINX Plus instances in a cluster apply a consistent rate limit to incoming requests regardless of which instance in the cluster the request arrives at. To learn more about rate limiting with NGINX, watch our on-demand webinar. Rate limiting works the same way in NGINX Plus. In this blog we will cover the basics of rate limiting with NGINX as well as more advanced configurations. More generally, it is used to protect upstream application servers from being overwhelmed by too many user requests at the same time. It can help protect against DDoS attacks by limiting the incoming request rate to a value typical for real users, and (with logging) identify the targeted URLs. Rate limiting can be used for security purposes, for example to slow down brute‑force password‑guessing attacks. A request can be as simple as a GET request for the homepage of a website or a POST request on a log‑in form. It allows you to limit the amount of HTTP requests a user can make in a given period of time. One of the most useful, but often misunderstood and misconfigured, features of NGINX is rate limiting.