Master Nginx Rate Limiting: From Basics to Advanced Configurations

Rate limiting (rate‑limiting) is a practical Nginx feature that controls the number of HTTP requests a client can make within a given time window. It can protect upstream servers, mitigate brute‑force attacks, and help resist DDoS traffic.

Nginx Rate‑Limiting Mechanism

Nginx uses the leaky‑bucket algorithm. Incoming requests fill a bucket; the bucket leaks at a fixed rate. When the input rate exceeds the leak rate, excess requests are dropped.

Basic Configuration

The two main directives are limit_req_zone and limit_req:

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

server {
    location /login/ {
        limit_req zone=mylimit;
        proxy_pass http://my_upstream;
    }
}

limit_req_zone

defines a shared memory zone that stores request counters per key (e.g., client IP). It requires three parameters:

Key – the variable used to identify a client (e.g., $binary_remote_addr).

Zone – the name and size of the shared memory area.

Rate – the maximum request rate (e.g., 10 requests per second, which Nginx tracks in 100 ms intervals).

The limit_req directive activates the limit in a specific context such as a location block.

Handling Bursts

To allow short bursts without immediate rejection, add the burst parameter:

location /login/ {
    limit_req zone=mylimit burst=20;
    proxy_pass http://my_upstream;
}

With burst=20, up to 20 excess requests are queued and processed at the configured rate; additional requests receive a 503 response.

Zero‑Delay Queuing

Appending nodelay makes queued requests forward immediately while still counting against the rate limit:

location /login/ {
    limit_req zone=mylimit burst=20 nodelay;
    proxy_pass http://my_upstream;
}

This prevents the client from waiting for the burst window to expire.

Whitelist Example

Combine geo and map to exempt certain IP ranges from rate limiting:

geo $limit {
    default          1;
    10.0.0.0/8       0;
    192.168.0.0/64   0;
}

map $limit $limit_key {
    0 "";
    1 $binary_remote_addr;
}

limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;

server {
    location / {
        limit_req zone=req_zone burst=10 nodelay;
    }
}

Clients in the whitelist receive an empty key, so the limit is not applied; all others are limited to 5 requests per second.

Multiple limit_req Directives

Multiple limit_req directives can be placed in the same location. The most restrictive limit wins:

http {
    limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
    limit_req_zone $binary_remote_addr zone=req_zone_wl:10m rate=15r/s;

    server {
        location / {
            limit_req zone=req_zone burst=10 nodelay;
            limit_req zone=req_zone_wl burst=20 nodelay;
        }
    }
}

Whitelisted IPs are limited to 15 r/s, while others are limited to 5 r/s.

Logging and Status Codes

By default, Nginx logs rejected requests at the error level. Use limit_req_log_level to change the level:

location /login/ {
    limit_req zone=mylimit burst=20 nodelay;
    limit_req_log_level warn;
    proxy_pass http://my_upstream;
}

The default response for a limited request is 503. It can be changed with limit_req_status:

location /login/ {
    limit_req zone=mylimit burst=20 nodelay;
    limit_req_status 444;
}

Deny All Requests for a Specific URL

To block all traffic to a particular path, use deny all inside the location block:

location /foo.php {
    deny all;
}

Summary

The article covered Nginx’s rate‑limiting capabilities, including basic and advanced directives, burst handling, zero‑delay queuing, IP whitelisting, multiple limits, logging customization, custom status codes, and outright request denial.