Rate Limiting in NGINX

February 22, 2014

I had trouble with a bot, coming from multiple ip addresses, that was hammering my website. NGINX allows you to easily rate limit such access, returning a 503 if the rate is exceeded.

In my nginx config I added the two limit_req lines shown here:

limit_req_zone  $binary_remote_addr  zone=one:10m   rate=1r/s;

server {
        listen   80;
        server_name  site.co.uk site.com;

        access_log  /home/drumcoder/log/site.access.log;

        gzip on;

        if ($host ~* www\.(.*)) {
                set $host_without_www $1;
                rewrite ^(.*)$ http://$host_without_www$1 permanent;

        location / {
                proxy_pass http://localhost:9999;
                proxy_set_header X-REAL-IP $remote_addr;
                proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                limit_req zone=one burst=5;

        location /site_media {
                root /home/drumcoder/web/site/;

        location /media {
                root /home/drumcoder/web/site/django/contrib/admin/;

Note that we're rate limiting access to the gunicorn process that runs django - we don't rate limit on the static files in /site_media or /media


Tags: nginx rate limit