-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Function of the "limit_req" option #380
Comments
It does Rate Limiting. See this NGINX article for details. See Digital Ocean NGINX Config tool to create custom configurations for your needs. First you add a # Rate Limit the amount of HTTP requests a user can make in a given
# period of time
# https://www.nginx.com/blog/rate-limiting-nginx/
# https://www.youtube.com/watch?v=V9XGT7hvwWo
# @ 3 concurrent requests per second
#
limit_req_zone $binary_remote_addr zone=remote_addr_throttle:10m rate=3r/s;
# full original request URI (with arguments)
limit_req_zone $request_uri zone=request_uri_throttle:10m rate=60r/m;
# name of the server which accepted a request
limit_req_zone $server_name zone=server_name_throttle:10m rate=10r/m;
#
# Sets the status code to return in response to rejected requests.
limit_req_status 429;
#
# Sets the desired logging level for cases when the server refuses to
# process requests due to rate exceeding, or delays request processing.
limit_req_log_level warn; Then you use this # Apply to server block, the shared memory zone and a maximum burst
# size of requests with nodelay.
# burst = # of requests in excess of rate decleared above.
# ab -k -n 9 -c 3 https://www.xmpl.link/index.html
#
# # @ burst of addional 9 requests
limit_req zone=remote_addr_throttle burst=9 nodelay; |
Hi webdev I am not so sure if it really does rate limiting at the current implementation. If we use the default example.com page and change no setting beside the Global config -> Security -> limi_req option we get this config: https://www.digitalocean.com/community/tools/nginx?global.security.limitReq=true The only thing that changed are these two lines:
Reading the documentation, to me this looks like we only have created the zone login but never actually use it.
These look like nice additions!
Again a very nice addition. This should be implemented into the nginx config as default, don't you think so?
So here is where the actual limiting happens, right? Wouldn't it be better to include that into the security.conf so it gets used for every page created with this tool? |
Looking a little bit closer at the nginx tool I realised that the limit req is only used for WordPress pages and it limits only the login location of WordPress pages, hence the zone name "login" It think I would be a nice addition to add this globally. |
👋 @jameskimmel If you'd like to see that as a feature, please could I suggest that you open a feature request issue for that. As you've received an answer on what the current functionality does, I'll close this help request issue :) |
Help request
I am still learning a lot about NGINX and none native speaker, so please excuse if this sounds silly to you but what does the "limit_req" option actually do?
As far as I understand it, it simply creates a zone called login (why login and not something like zone or limit_zone?) that never gets actually used. Is that true or am I missing something?
If it is true, maybe I should open a feature request to make use of the zone in other website config pages?
Cheers
The text was updated successfully, but these errors were encountered: