Limit rate of connection in Nginx web server?

Network traffic management is an important point to consider while configuring a web server. It consists of many techniques which allows us to differentiate between organic users, search engine bots, attackers, accelerators, etc.

The number of HTTP requests (i.e. GET, POST, HEAD, etc.) a client can make in a specific amount of time is limited an approach known as rate limitation; rate limits are measured in requests per second (or RPS). Limiting the number of requests made to your web apps or API services also has advantage, security, which involves guarding against erroneous, fast queries or Denial of Service (DoS) attacks.

The default configuration file for Nginx is /etc/nginx/nginx.conf. You can add domains to this configuration but it will become harder to manage. So, it is recommended to add another configuration file (in /etc/nginx/sites-available directory) and add a new domain to it.

Open the settings file in a text editor.

$ sudo vi /etc/nginx/sites-available/example-domain.com.conf

How to limit the rate of connection in Nginx?

We have three directives that can be used to limit rate of connection based on the request zone, status and connection.

1. Use the limit_req_zone directive to set the rate-limiting parameters. The necessary inputs are a client identification key, a shared memory zone to store the key's current state and the number of times it has accessed a request-restricted URL, and a rate. The limit_req_zone directive should be used within the HTTP context.

    limit_req_zone $binary_remote_addr zone=limitreqsbyaddr:5m rate=2r/s;

2. Use the limit_req_status directive, which is valid in the HTTP, server, and location contexts, to set a response status code that is returned in response to denied requests.

    limit_req_status 429;

3. Now you may enable request rate-limiting in the HTTP, server, and location contexts with the limit_conn directive. It requires a memory zone as well as additional optional parameters.

    limit_req zone=limitreqsbyaddr;

Limiting the rate of request to an API for a web application is demonstrated in the configuration example that follows. The request rate is limited to 2 requests per second, and the shared memory size is 5 MB.

upstream api_service {
    server 127.0.0.1:8801;
}
limit_req_zone $binary_remote_addr zone=limitreqsbyaddr:5m rate=2r/s;
limit_req_status 429;

server {
    listen 80;

    proxy_read_timeout 600;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    location / {
        try_files $uri $uri/ /index.php =404 =403 =500;
    }
    location /api {
        limit_req zone=limitreqsbyaddr;
        proxy_pass http://api;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
       
   }
}

Finally, you can save and exit the configuration file.

Verify our configuration, then launch Nginx.

It is a recommended practice to test new configurations before loading them to the production server because a single syntax mistake will prevent the Nginx service from running, which will prevent users from accessing your website. You can use the following command to do so.

$ sudo nginx -t -c /etc/nginx/nginx.conf

Finally, Start/Restart/Reload the server to load the changes:

$ sudo systemctl restart nginx

or

$ sudo service nginx restart