limit-req and greedy UAs

lists at lists at
Mon Sep 12 22:30:01 UTC 2016

Most of the chatter on the interwebs believes that the rate limit is per connection, so if some IP opens up multiple connections, they get more bandwidth. 

It shouldn't be that hard to just test this by installing a manager and seeing what happens. I will give this a try tonight, but hopefully someone will beat me to it.

Relevant post follows:
On 17 February 2014 10:02, Bozhidara Marinchovska
<quintessence at> wrote:‎
> My question is what may be the reason when downloading the example file with
> download manager not to match limit_rate directive

"Download managers" open multiple connections and grab different byte
ranges of the same file across those connections. Nginx's limit_rate
function limits the data transfer rate of a single connection.‎

  Original Message  
From: Richard Stanway
Sent: Monday, September 12, 2016 2:39 PM
To: nginx at
Reply To: nginx at
Subject: Re: limit-req and greedy UAs

limit_req works with multiple connections, it is usually configured per IP using $binary_remote_addr. See - you can use variables to set the key to whatever you like.

limit_req generally helps protect eg your backend against request floods from a single IP and any amount of connections. limit_conn protects against excessive connections tying up resources on the webserver itself.

On Mon, Sep 12, 2016 at 10:23 PM, Grant <emailgrant at> wrote:
> ‎I have far more faith in this write up regarding tuning than the anti-ddos, though both have similarities.
> My interpretation is the user bandwidth is connections times rate. But you can't limit the connection to one because (again my interpretation) there can be multiple users behind one IP. Think of a university reading your website. Thus I am more comfortable limiting bandwidth than I am limiting the number of connections. ‎The 512k rate limit is fine. I wouldn't go any higher.

If I understand correctly, limit_req only works if the same connection
is used for each request.  My goal with limit_conn and limit_conn_zone
would be to prevent someone from circumventing limit_req by opening a
new connection for each request.  Given that, why would my
limit_conn/limit_conn_zone config be any different from my
limit_req/limit_req_zone config?

- Grant

> Should I basically duplicate my limit_req and limit_req_zone
> directives into limit_conn and limit_conn_zone? In what sort of
> situation would someone not do that?
> - Grant

nginx mailing list
nginx at

More information about the nginx mailing list