Nginx Rate limiting for HTTPS requests

rickGsp nginx-forum at forum.nginx.org
Mon May 21 05:09:04 UTC 2018 

> Rate limiting is a useful but crude tool that should only be one if four
or five different things you do to protect your backend:
> 
> 1 browser caching 
> 2 cDN
> 3 rate limiting
> 4 nginx caching reverse proxy 
> 
> What are your requests? Are they static content or proxied to a back end?
> Do users login?
> Is it valid for dynamic content built for one user to be returned to
another?

I am mainly using it to do reverse proxy to the backend.

>Do you use keepalive?

Here is the cleaned up version of the configuration in use:

# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
  worker_connections 4096 ;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;
  sendfile on;
  client_header_buffer_size 64k;
  #tcp_nopush on;
  keepalive_timeout 65s;
  #gzip on;
  include /etc/nginx/conf.d/*.conf;

  limit_req_zone $host zone=perhost:10m rate=100r/s;
  limit_req zone=perhost burst=100 nodelay;

  upstream service_lb {
    server 127.0.0.1:8020;
    server 127.0.0.1:8021;
  }
}

worker_rlimit_nofile 10000;

# configuration file /etc/nginx/conf.d/nginx_ssl.conf:
server {
  listen 192.168.0.50:443 ssl backlog=1024;
  listen 127.0.0.1:443 ssl;

  ssl_certificate /etc/nginx/conf.d/nginx.crt;
  ssl_certificate_key /etc/nginx/conf.d/nginx.key;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers
EECDH+AESGCM:EECDH+AES256:EECDH+AES128:EECDH+AES:kRSA+AESGCM:kRSA+AES:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256
 
:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:!aNULL:!ADH:!eNULL:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!SEED;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:1024000;
  ssl_session_timeout 300;
  ssl_verify_client off;

  #charset koi8-r;
  access_log /var/log/nginx/access.log main;

  location /service/ {
    proxy_pass http://service_lb;
    break;
  }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279802,279879#msg-279879

More information about the nginx mailing list