Nginx Rate limiting for HTTPS requests

Peter Booth peter_booth at
Sun May 20 18:47:03 UTC 2018

5. Do you use keepslive?

Sent from my iPhone

> On May 20, 2018, at 2:45 PM, Peter Booth <peter_booth at> wrote:
> Rate limiting is a useful but crude tool that should only be one if four or five different things you do to protect your backend:
> 1 browser caching 
> 2 cDN
> 3 rate limiting
> 4 nginx caching reverse proxy 
> What are your requests? Are they static content or proxied to a back end?
> Do users login?
> Is it valid for dynamic content built for one user to be returned to another?
> Sent from my iPhone
> On May 20, 2018, at 4:24 AM, rickGsp <nginx-forum at> wrote:
>>>> As I tried to explain in my previous message, "test runs for 60 
>>>> seconds" can have two different meanings: 1) the load is generated 
>>>> for 60 seconds and 2) from first request started to the last 
>>>> request finished it takes 60 seconds.
>>>> Make sure you are using the correct meaning. Also, it might 
>>>> be a good idea to look into nginx access logs to verify both time 
>>>> and numbers reported by your tool.
>> Yes Maxim, I had understood your point. My test actually ran for 60 to 65
>> seconds which means it took 5 additional seconds to process the requests.
>> Even access logs says the same. Also, on more powerful machine, I get
>> expected result for the same test i.e 500 req/sec load but start seeing
>> difference at relatively higher load.It seems to me that a results also
>> depends on the resources available on the machine running Nginx.
>> Surprisingly, CPU was not hitting the peak on both the machines.I am using
>> CentOS systems for this testings.
>> Actually in another test with plain HTTP requests, I observed the same issue
>> of more requests than expected getting processed. However, for HTTP case,
>> this behaviour appeared at 700 req/sec input load instead of 500 req/sec as
>> in HTTPS. In this test requests got processed within 60 secs.
>> With all the test results, I am being forced to think that Nginx rate
>> limiting may not be able to stop DDoS attack with very high input load but
>> is decent enough to handle sudden spikes and load which is slightly higher
>> than configured rate limit, and computing power available also plays some
>> role here. Do you think I am right?
>> Posted at Nginx Forum:,279802,279874#msg-279874
>> _______________________________________________
>> nginx mailing list
>> nginx at

More information about the nginx mailing list