nginx — alert when a rate-limit zone is saturating
An attacker is hammering a `limit_req_zone` — legit traffic now eats 429s too. The access log shows it but nobody is watching.
Recipe
#!/usr/bin/env bash
# Counts 429s in the last minute against a rolling threshold.
LOG="${ACCESS_LOG:-/var/log/nginx/access.log}"
THRESHOLD="${THRESHOLD:-50}"
CNT=$(awk -v from="$(date -d '1 min ago' '+%d/%b/%Y:%H:%M')" '
$0 ~ from && $9 == 429 { c++ } END { print c+0 }
' "$LOG")
[ "$CNT" -ge "$THRESHOLD" ] && echo "high $CNT/min" || echo "ok $CNT/min"Same thing in Enterno.io
Endpoint + an Enterno HTTP monitor with "ok" keyword surfaces an attack within 60s. Pair with the Security Scanner to make sure the limit isn’t set too tight in the first place.
Related recipes
The server starts returning 503/504 — but a plain uptime check misses it because the homepage is 200 while the API path is on fire.
Stripe, GitHub, Twilio return X-RateLimit-Remaining in response headers. If the backend does not track the floor, you get a sudden 429 and billing stops.
Site is on the HSTS preload list, but after an nginx refactor the header is gone. In 3 months the domain will be removed from the preload list. Need a daily check.