BestHub
Sign in
Operations 6 min read

Master Nginx Rate Limiting: Prevent Abuse with limit_req & limit_conn

Learn how to protect your services from abusive traffic and brute‑force attacks by using Nginx's rate‑limiting features—limit_req to control request rates and limit_conn to restrict concurrent connections—complete with configuration examples, explanations of zones, burst handling, custom error pages, and log monitoring.

Lin is Dream
Lin is Dream
Lin is Dream
Master Nginx Rate Limiting: Prevent Abuse with limit_req & limit_conn

limit_req module: limit request rate

limit_req

can limit request frequency per IP, e.g., one request per second.

Configuration example:

http {
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;

    server {
        listen 80;
        server_name example.com;

        location / {
            # Use the defined zone to limit request rate
            limit_req zone=req_limit_per_ip burst=20 nodelay;
            root /usr/share/nginx/html;
            index index.html;
        }
    }
}

Explanation:

limit_req_zone

defines a zone named req_limit_per_ip that stores request counters for each client IP in binary form, using 10 MB of memory and limiting the rate to 10 requests per second. limit_req is enabled in the location block, applying the zone, allowing a burst of up to 20 requests and rejecting excess traffic immediately with nodelay.

limit_conn module: limit concurrent connections

limit_conn

restricts the number of simultaneous connections per client IP.

Configuration example:

http {
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    server {
        listen 80;
        server_name example.com;

        location / {
            # Limit each IP to a single concurrent connection
            limit_conn conn_limit_per_ip 1;
            root /usr/share/nginx/html;
            index index.html;
        }
    }
}

Explanation:

limit_conn_zone

creates a zone conn_limit_per_ip with 10 MB storage for connection counters. limit_conn in the location block enforces a maximum of one concurrent connection per IP.

Combined use of limit_req and limit_conn

Both modules can be combined to control request rate and concurrent connections simultaneously.

Configuration example:

http {
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;

    server {
        listen 80;
        server_name example.com;

        location / {
            limit_req zone=req_limit_per_ip burst=10 nodelay;
            limit_conn conn_limit_per_ip 1;
            root /usr/share/nginx/html;
            index index.html;
        }
    }
}

Explanation:

Requests are limited to 5 per second with a burst of 10.

Each IP is allowed only one concurrent connection.

Other common options

burst

specifies the allowed request burst size. nodelay makes Nginx return a 503 error immediately when the limit is exceeded.

Response code for throttling

When the limit is exceeded, Nginx returns 503 Service Unavailable . A custom error page can be configured:

http {
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

    server {
        listen 80;
        server_name example.com;

        location / {
            limit_req zone=req_limit_per_ip burst=10 nodelay;
            error_page 503 /custom_503.html;
            root /usr/share/nginx/html;
            index index.html;
        }
    }
}

Viewing 503 errors in access logs

Use a command such as:

grep " 503 " /var/log/nginx/access.log
operationsTraffic Controlserver configurationlimit_connlimit_req
Lin is Dream
Written by

Lin is Dream

Sharing Java developer knowledge, practical articles, and continuous insights into computer engineering.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment