Function of the "limit_req" option

[jameskimmel]

Help request

I am still learning a lot about NGINX and none native speaker, so please excuse if this sounds silly to you but what does the "limit_req" option actually do?

As far as I understand it, it simply creates a zone called login (why login and not something like zone or limit_zone?) that never gets actually used. Is that true or am I missing something?

If it is true, maybe I should open a feature request to make use of the zone in other website config pages?

Cheers

[suchislife801]

It does Rate Limiting.

See this NGINX article for details.
https://www.nginx.com/blog/rate-limiting-nginx/

See Digital Ocean NGINX Config tool to create custom configurations for your needs.
https://nginxconfig.io

First you add a limit_req_zone at the http context level of your nginx.conf file.

# Rate Limit the amount of HTTP requests a user can make in a given 
# period of time
# https://www.nginx.com/blog/rate-limiting-nginx/
# https://www.youtube.com/watch?v=V9XGT7hvwWo
# @ 3 concurrent requests per second
#
limit_req_zone            $binary_remote_addr zone=remote_addr_throttle:10m rate=3r/s;
# full original request URI (with arguments)
limit_req_zone            $request_uri zone=request_uri_throttle:10m rate=60r/m;
# name of the server which accepted a request
limit_req_zone            $server_name zone=server_name_throttle:10m rate=10r/m;
#
# Sets the status code to return in response to rejected requests.
limit_req_status 429;
#
# Sets the desired logging level for cases when the server refuses to 
# process requests due to rate exceeding, or delays request processing.
limit_req_log_level       warn;

Then you use this limit_req_zone in one or more server and/or location blocks in the nginx.conf file.

# Apply to server block, the shared memory zone and a maximum burst 
# size of requests with nodelay.
# burst = # of requests in excess of rate decleared above.
# ab -k -n 9 -c 3 https://www.xmpl.link/index.html
# 
# # @ burst of addional 9 requests
limit_req zone=remote_addr_throttle burst=9 nodelay;

[jameskimmel]

Hi webdev

I am not so sure if it really does rate limiting at the current implementation.
But to be sure we are talking about the same thing, let's have a look at an example.

If we use the default example.com page and change no setting beside the Global config -> Security -> limi_req option we get this config: https://www.digitalocean.com/community/tools/nginx?global.security.limitReq=true

The only thing that changed are these two lines:

limit_req_log_level    warn;
limit_req_zone         $binary_remote_addr zone=login:10m rate=10r/m;`

Reading the documentation, to me this looks like we only have created the zone login but never actually use it.

limit_req_zone $request_uri zone=request_uri_throttle:10m rate=60r/m;

limit_req_zone $server_name zone=server_name_throttle:10m rate=10r/m;

These look like nice additions!

limit_req_status 429;

Again a very nice addition. This should be implemented into the nginx config as default, don't you think so?

limit_req zone=remote_addr_throttle burst=9 nodelay;

So here is where the actual limiting happens, right?

Wouldn't it be better to include that into the security.conf so it gets used for every page created with this tool?
Because like again, and I am sorry if I am wrong on this one, the current implementation of limit_req does absolutely nothing.

[jameskimmel]

Looking a little bit closer at the nginx tool I realised that the limit req is only used for WordPress pages and it limits only the login location of WordPress pages, hence the zone name "login"

It think I would be a nice addition to add this globally.

[MattIPv4]

👋 @jameskimmel If you'd like to see that as a feature, please could I suggest that you open a feature request issue for that.

As you've received an answer on what the current functionality does, I'll close this help request issue :)