Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx reverse proxy with rate limiting
upstream myapp {
server 127.0.0.1:8081;
}
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
server {
listen 443 ssl spdy;
server_name _;
ssl on;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH;
ssl_session_cache builtin:1000 shared:SSL:5m;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://myapp;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
location /account/login/ {
# apply rate limiting
limit_req zone=login burst=5;
# boilerplate copied from location /
proxy_pass http://myapp;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
@bitcity

This comment has been minimized.

Copy link

commented Jul 29, 2015

Is is possible to move all proxy_set_header to server block to avoid copy-pasting ? Something like:

server {
    listen 443 ssl spdy;
    server_name _;

    ssl on;
    ssl_certificate /etc/nginx/ssl/cert.pem;
    ssl_certificate_key /etc/nginx/ssl/cert.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers AES256+EECDH:AES256+EDH;
    ssl_session_cache  builtin:1000  shared:SSL:5m;
    ssl_prefer_server_ciphers on;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;

    location / {
        proxy_pass http://myapp;
    }

    location /account/login/ {
        # apply rate limiting
        limit_req zone=login burst=5;

        # boilerplate copied from location /
        proxy_pass http://myapp;
    }
}
@ebsaral

This comment has been minimized.

Copy link

commented Jun 29, 2016

In a website with high traffic, the configurations must be something like:

limit_req_zone $binary_remote_addr zone=myzone:10m rate=10r/s; or limit_req_zone $binary_remote_addr zone=myzone:50m rate=100r/s; as I understood.

@Laxman-SM

This comment has been minimized.

Copy link

commented Jul 1, 2016

@esaral, Correct 10000 TPS this need to be higher value. Also this depend on server configuration and core availability.

@VarunBatraIT

This comment has been minimized.

Copy link

commented Jul 9, 2016

limit_req_zone depends on remote ip? I am guessing if there is only one IP is involved then just 2r/s is fine.

@rajuginne

This comment has been minimized.

Copy link

commented Sep 14, 2017

yes, it helps to prevent DOS attack from single IP. No matter how much traffic is you are getting from different IPs /users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.