Nginx reverse proxy with rate limiting
upstream myapp { | |
server 127.0.0.1:8081; | |
} | |
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; | |
server { | |
listen 443 ssl spdy; | |
server_name _; | |
ssl on; | |
ssl_certificate /etc/nginx/ssl/cert.pem; | |
ssl_certificate_key /etc/nginx/ssl/cert.key; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers AES256+EECDH:AES256+EDH; | |
ssl_session_cache builtin:1000 shared:SSL:5m; | |
ssl_prefer_server_ciphers on; | |
location / { | |
proxy_pass http://myapp; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
} | |
location /account/login/ { | |
# apply rate limiting | |
limit_req zone=login burst=5; | |
# boilerplate copied from location / | |
proxy_pass http://myapp; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $http_host; | |
} | |
} |
This comment has been minimized.
This comment has been minimized.
In a website with high traffic, the configurations must be something like:
|
This comment has been minimized.
This comment has been minimized.
@esaral, Correct 10000 TPS this need to be higher value. Also this depend on server configuration and core availability. |
This comment has been minimized.
This comment has been minimized.
limit_req_zone depends on remote ip? I am guessing if there is only one IP is involved then just 2r/s is fine. |
This comment has been minimized.
This comment has been minimized.
yes, it helps to prevent DOS attack from single IP. No matter how much traffic is you are getting from different IPs /users. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Is is possible to move all
proxy_set_header
to server block to avoid copy-pasting ? Something like: