Nginx reverse proxy with rate limiting
| upstream myapp { | |
| server 127.0.0.1:8081; | |
| } | |
| limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s; | |
| server { | |
| listen 443 ssl spdy; | |
| server_name _; | |
| ssl on; | |
| ssl_certificate /etc/nginx/ssl/cert.pem; | |
| ssl_certificate_key /etc/nginx/ssl/cert.key; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers AES256+EECDH:AES256+EDH; | |
| ssl_session_cache builtin:1000 shared:SSL:5m; | |
| ssl_prefer_server_ciphers on; | |
| location / { | |
| proxy_pass http://myapp; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| } | |
| location /account/login/ { | |
| # apply rate limiting | |
| limit_req zone=login burst=5; | |
| # boilerplate copied from location / | |
| proxy_pass http://myapp; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| } | |
| } |
This comment has been minimized.
This comment has been minimized.
|
In a website with high traffic, the configurations must be something like:
|
This comment has been minimized.
This comment has been minimized.
|
@esaral, Correct 10000 TPS this need to be higher value. Also this depend on server configuration and core availability. |
This comment has been minimized.
This comment has been minimized.
|
limit_req_zone depends on remote ip? I am guessing if there is only one IP is involved then just 2r/s is fine. |
This comment has been minimized.
This comment has been minimized.
|
yes, it helps to prevent DOS attack from single IP. No matter how much traffic is you are getting from different IPs /users. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
Is is possible to move all
proxy_set_headerto server block to avoid copy-pasting ? Something like: