Nginx limit_req_zone ignores rate value

nginxrate-limiting

I have a strange behavior my config looks something like this:

http {
    limit_req_zone $binary_remote_addr zone=nocachelimit:10m rate=120r/m;
}
...
location "/api" {
    {
        limit_req zone=nocachelimit burst=20;
    }
}

Regardless of what values i put into the rate, I even tried 1000r/s
I keep getting log entries for "normal" users that say:

 [warn] 16526#0: *4661 delaying request, excess: 1.000, by zone "nocachelimit"

The typical usecase is a Pageload that does not fall into the zone + 4-5 Ajax requests that will should be limited to the zone.

What could be the cause for this kind of behavior.

Best Answer

The rate determines how fast requests are processed. If you set the rate to 120r/m, that means 1 request will get processed every 0.5 seconds.

If you get 5 requests all at once, it doesn't mean that they'll all go through. They'll get queued up (up to your burst size), and get processed sequentially, 1 every 0.5 seconds.

You're getting that warning because things are going into the queue and getting delayed. It does not mean that they're getting rejected.

If you don't want things getting delayed, then use the nodelay parameter:

location "/api" {
  limit_req zone=nocachelimit burst=20 nodelay;
}

For more details on exactly how this works, see https://www.nginx.com/blog/rate-limiting-nginx/

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – How to rate-limit in nginx, but including/excluding certain IP addresses

It is really better to avoid using the "if" directive. When the key in limit_req_zone (and limit_conn_zone) is empty the limits are not applied. You can use this in conjunction with the map and geo modules to create a whitelist of IPs where the throttle limits are not applied.

This example shows how to configure a limit for both concurrent requests and request rate from a single IP.

http {
    geo $whitelist {
       default 0;
       # CIDR in the list below are not limited
       1.2.3.0/24 1;
       9.10.11.12/32 1;
       127.0.0.1/32 1;
    }

    map $whitelist $limit {
        0     $binary_remote_addr;
        1     "";
    }

    # The directives below limit concurrent connections from a 
    # non-whitelisted IP address to five

    limit_conn_zone      $limit    zone=connlimit:10m;

    limit_conn           connlimit 5;
    limit_conn_log_level warn;   # logging level when threshold exceeded
    limit_conn_status    503;    # the error code to return

    # The code below limits the number requests from a non-whitelisted IP
    # to one every two seconds with up to 3 requests per IP delayed 
    # until the average time between responses reaches the threshold. 
    # Further requests over and above this limit will result 
    # in an immediate 503 error.

    limit_req_zone       $limit   zone=one:10m  rate=30r/m;

    limit_req            zone=one burst=3;
    limit_req_log_level  warn;
    limit_req_status     503;

The zone directives must be placed at the http level, however the other directives can be placed further down, e.g. at the server or the location level to limit their scope or further tailor the limits.

For futher information refer to the Nginx documentation ngx_http_limit_req_module and ngx_http_limit_conn_module

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – How to rate-limit in nginx, but including/excluding certain IP addresses

Related Topic