Nginx Rate Limiting Configuration

Q: How do I configure Rate Limiting Configuration in Nginx?

Rate limiting controls how many requests a client can make within a given time window. It is essential for protecting your server from abuse, brute-force login attacks, and excessive API usage that could degrade service for all users. ### Defining a Rate Limit Zone Rate limits are configured using the limit_req_zone directive in the http block. It defines a shared memory zone that tracks request rates per key across all worker processes. nginx http { limit_req_zone $binary_remote_addr zon

Implement request rate limiting in Nginx to protect your APIs and login endpoints against DDoS attacks, brute force login attempts, and resource abuse.

Security

Detailed Explanation

Rate limiting controls how many requests a client can make within a given time window. It is essential for protecting your server from abuse, brute-force login attacks, and excessive API usage that could degrade service for all users.

Defining a Rate Limit Zone

Rate limits are configured using the limit_req_zone directive in the http block. It defines a shared memory zone that tracks request rates per key across all worker processes.

http {
    limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
}

The $binary_remote_addr key limits each client IP individually using a compact binary representation. The zone size of 10m can track approximately 160,000 unique IP addresses simultaneously.

Applying Rate Limits

Apply the configured limit within a location block using the limit_req directive:

location /api/ {
    limit_req zone=general burst=20 nodelay;
    proxy_pass http://backend;
}

location /login {
    limit_req zone=login burst=5;
    proxy_pass http://backend;
}

Burst and Nodelay

The burst parameter allows a temporary spike of requests above the defined rate limit before Nginx begins rejecting them. Without nodelay, excess requests within the burst allowance are queued and processed at the defined rate, adding latency. With nodelay, burst requests are processed immediately without artificial delay, and the rate limit applies to subsequent requests after the burst bucket is exhausted.

Custom Error Responses

By default, rate-limited requests receive a 503 Service Unavailable status code. Customize this with limit_req_status to return a more semantically correct response:

limit_req_status 429;

This returns 429 Too Many Requests, which API clients and monitoring tools expect and handle appropriately.

Logging

Control how rate-limited requests are logged using limit_req_log_level. Setting it to warn prevents error log flooding during sustained attacks while still maintaining visibility into rate limiting activity.

Multiple Rate Limits

You can apply multiple rate limits to the same location for layered protection. For example, combine a per-IP limit with a global server-wide limit. Both limits must be satisfied for a request to proceed, providing defense in depth.

Whitelisting Trusted IPs

Use a geo block to exempt trusted IP addresses like internal monitoring services, health check probes, or office VPN addresses from rate limiting enforcement.

Use Case

You are running a public API or login endpoint and need to prevent brute-force password attacks and protect against abusive clients sending thousands of requests per second.

Try It — Nginx Config Generator

Open full tool →