Understanding Nginx Rate Limiting: Leaky Bucket, Burst, and NoDelay Configurations

This article explains Nginx rate‑limiting configurations as a practical supplement to the official documentation, using the leaky‑bucket algorithm to control request traffic.

Basic Leaky Bucket

We begin with a simple configuration that limits requests per client IP:

limit_req_zone $binary_remote_addr zone=ip_limit:10m rate=10r/s;

server {
    location /login/ {
        limit_req zone=ip_limit;
        proxy_pass http://login_upstream;
    }
}

The $binary_remote_addr variable identifies the client IP, zone=ip_limit:10m creates a shared memory zone named ip_limit using 10 MB to store state, and rate=10r/s allows 10 requests per second. The location /login/ block applies the limit to login requests.

With this setup, if ten requests arrive simultaneously, only one is processed while the others are rejected because the bucket is empty and excess requests cannot be queued.

Burst

To allow a short burst of traffic, we add the burst parameter:

limit_req_zone $binary_remote_addr zone=ip_limit:10m rate=10r/s;

server {
    location /login/ {
        limit_req zone=ip_limit burst=12;
        proxy_pass http://login_upstream;
    }
}

Here burst=12 expands the bucket size to hold up to 12 pending requests, effectively turning the leaky bucket into a FIFO queue. Requests arriving together are queued and released at the steady rate of one every 100 ms, preventing immediate rejection but increasing latency.

NoDelay

To eliminate the queuing delay, we introduce the nodelay flag:

limit_req_zone $binary_remote_addr zone=ip_limit:10m rate=10r/s;

server {
    location /login/ {
        limit_req zone=ip_limit burst=12 nodelay;
        proxy_pass http://login_upstream;
    }
}

With nodelay , requests in the burst are executed immediately rather than being delayed, while any request beyond the burst limit is still rejected. The average rate remains 10 r/s, but traffic becomes less uniform; a sudden influx of up to 12 requests can all pass at once.

We can further control the number of concurrent executions by using the delay parameter:

limit_req_zone $binary_remote_addr zone=ip_limit:10m rate=10r/s;

server {
    location /login/ {
        limit_req zone=ip_limit burst=12 delay=4;
        proxy_pass http://login_upstream;
    }
}

Setting delay=4 means that starting from the fifth request in the bucket, requests are delayed, allowing finer tuning of concurrency and smoothing request execution for resource‑intensive services.

Overall, these configurations demonstrate how Nginx can limit request rates, provide burst capacity, and adjust delay behavior to balance rejection, latency, and resource usage.