limit-req and greedy UAs

lists at lists at
Sun Sep 11 15:21:41 UTC 2016

‎This page has all the secret sauce, including how to limit the number of connections.

I set up the firewall with a higher number as a "just in case." Also note if you do streaming outside nginx, then you have to limit connections for that service in the program providing it. 

Mind you while I think this page has good advice, what is listed here won't stop a real ddos attack. The first D is for distributed, meaning the attack come from many IP addresses. You probably have to pay for one of those reverse proxy services to avoid a real ddos, but I personally find them them a bit creepy since I have seen hacking attempts come from behind them. 

The tips on this nginx page will limit the teenage boy in his parents basement, which is a more real life scenario to be attacked. But note that every photo you load is a request, so I wouldn't make the limit ‎any lower than 5 to10 per second. You can play with the limits and watch the results on your own system. Just remember to: 
service nginx reload
service nginx restart

If you do fancy caching, you may have to clear your browser cache.

In theory, Google page ranking takes speed into account.  There are many websites that will evaluate your nginx set up.

One thing to remember is nginx limits are in bytes per second, not bits per second. So the 512k limit in this example is really quite generous.

There are programs you can run on your server to flog nginx.

I did this with htperf, but sysbench is supposed to be better. Nginx is very efficient. Your limiting factor will probably be your server network connection. If you sftp files from your server, it will be at the maximum rate you can deliver, and this depends on time of day since you are sharing the pipe. I'm using a VPS that does 40mbps on a good day. Figure 10 users at a time and the 512kbyes per second put me at the limit. 

If you use the nginx map module, you can block download managers if they are honest with their user agents.

Beware of creating false positives with such rules. When developing code, I return a 444 then search the access.log for what it found, just to insure I wrote the rule correctly.

  Original Message  
From: Grant
Sent: Sunday, September 11, 2016 5:30 AM
To: nginx at
Reply To: nginx at
Subject: Re: limit-req and greedy UAs

> What looks to me to be a real resource hog that quite frankly you cant do much about are download managers. They open up multiple connections, but the rate limits apply to each individual connection. (this is why you want to limit the number of connections.)

Does this mean an attacker (for example) could get around rate limits
by opening a new connection for each request? How are the number of
connections limited?

- Grant

nginx mailing list
nginx at

More information about the nginx mailing list