Nginx: Can I setup a limit_req_zone with a key with IP + URI

httpnginxrate-limiting

I'm trying to setup Nginx limit_req module to limit the request rate that any IP can make to the same URL.

I would like to define the limit_req_zone with a key that is composed by a combination of the client's IP and the request URI. That is, instead of this:

limit_req_zone $binary_remote_addr zone=req_dev:10m rate=2r/s;

Something like this:

set $ip_url "$binary_remote_addr$request_uri"
limit_req_zone $ip_url zone=req_dev:10m rate=2r/s;

But that does not work because set cannot be called in the http context:

nginx: [emerg] "set" directive is not allowed here in /etc/nginx/nginx.conf:47

Is there any way to achieve this?

Just to be clear: I don't want to limit the rate on a specific URL. I want to avoid an IP from hitting the same URL more than twice a second.

Best Answer

You can set the key to whatever you want in limit_req_zone.

limit_req_zone "$binary_remote_addr$request_uri" zone=req_dev:10m rate=2r/s;

Note that this requires at least nginx 1.7.6.

Related Solutions

Nginx – How to insert a delay in response with nginx

You might want to restructure your application to better handle the situation. I would have two scripts: one is the web page the user hits. The second is a back end script that dose the job.

Script two can be a daemon, or you can use non-blocking forking if your environment supports it from script one. Script one should initiate the job in script two, then push data to the user using something like EventStream (or WebSockets, although thats a major overkill here) updating them of the status. You can send a 200 or some other indication when your done.

Nginx 301’ing limit_req rate limited requests instead of error page

By default, nginx will return a 503 service temporarily unavailable error code.

The limit_req_status directive exists to change the error code in case they hit the limit_req :

location = /search/bulk {
          limit_req zone=one burst=2;
          limit_req_status 404;
}

The problem is that this directive only allows a range from 400 to 599, so you cannot specify a 301 :

[emerg] 3130#0: value must be between 400 and 599 in /etc/nginx/nginx.conf:72

So, if your main issue is to display a custom error message instead of the default 503 one, you could proceed like this :

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
    server {
       location = /search/bulk {
                limit_req zone=one burst=2;
                error_page  503  /503.html;
       }
       location  /503.html {
            internal;
       }
    }
}

Then your custom 503.html file :

<html><body>Would you like to use our API ?</body></html>

The rate argument is mandatory. You have to specify a rate for limit_req_zone

Best Answer

Related Solutions

Nginx – How to insert a delay in response with nginx

Nginx 301’ing limit_req rate limited requests instead of error page

Related Topic