Understanding HttpLimitReqModule

Maxim Dounin mdounin at mdounin.ru
Fri Feb 25 16:18:48 MSK 2011 

Hello!

On Fri, Feb 25, 2011 at 11:04:34AM +0100, Adrian von Stechow wrote:

> Hi all:
> 
> I'm trying to understand the HttpLimitReqModule, the wiki is a bit
> unverbose about the terminology.
> I'm trying to mimic Apache's mod_evasive module, specifically there is
> an annoying user that likes to request the same image once every
> second for hours at a time. I would like to log this and then use
> fail2ban to block the IP for a specific time. The problem is that the
> image in question is a legitimate request that shows up on every page
> of the site in question. What I had in mind:
> 
> limit_req_zone  $binary_remote_addr  zone=one:1m   rate=50r/m;
> #offending user: 60r/m
> 
>     server {
>         location = /path/to/image.jpg {
>             limit_req   zone=one  burst=???;
>             limit_req_log_level error
>         }
> 
> The problem is the low rate with which the offending requests are
> made. mod_evasive lets you set up a timespan in which a specific
> number of requests are made, while nginx checks "online" if a second
> request is made after 1/rate. In my case (1 offending request per
> second), legitimate users would be blocked if they load 2 pages in one
> second, which of course happens frequently.
> 
> Any suggestions?

Set burst= to be high enough to accomodate occasional request 
bursts from legitimate users, and rate= to be somewhere between 
typical one for legitimate users (on average during relatively 
long time period) and offending one.  

If you just want to block offending user which does 60 requests 
per minute, and your typical users do about 1 requests per 
minute, but occasinally may produce something like 100 requests in 
short time frame, you may set something like:

    limit_req_zone $binary_remote_addr zone=one:1m rate=10r/m;

    location ... {
        limit_req zone=one burst=100 nodelay;
    }

This will allow legitimate users to do 10r/m on average and up to 
100 requests in the very same second.  On the other hand, 
offending user with 60 r/m will start getting 503's after about 2 
minutes: 120 requests with 20 allowed by rate will overflow 
burst.

Please refer to http://en.wikipedia.org/wiki/Leaky_Bucket for 
algorithm details.

I also recommend using "nodelay" flag unless you really want to 
control rate at which requests are passed to backends or something 
like this.

Maxim Dounin

More information about the nginx mailing list