Two directives: limit_req_zone defines the pool (key + memory + rate), limit_req activates it in a location. A 10 MB zone holds ~160k unique IPs in RAM. Add burst for short spikes (burst=20 nodelay — allows 20 without delay, then rate-limits). Returns 429 by default; log to a custom file, feed fail2ban for IP bans.
Below: details, example, related terms, FAQ.
Free online tool — website security scanner: instant results, no signup.
# /etc/nginx/conf.d/rate-limits.conf
limit_req_zone zone=api:10m rate=60r/m;
limit_req_zone zone=login:10m rate=5r/m;
limit_req_status 429;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
location /login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://backend;
}
}
# fail2ban filter (jail.d/nginx-rate.conf)
[Definition]
failregex = limiting requests, excess.*client: <HOST>While rate limiting is a powerful tool for controlling traffic to your Nginx server, it does come with certain limitations that administrators should be aware of. Understanding these limitations can help you configure your server more effectively and avoid potential pitfalls.
1. Memory Usage: The limit_req_zone directive allocates shared memory for storing request data. A 10 MB zone can accommodate approximately 160,000 unique IP addresses in RAM. If your application experiences traffic from more unique IPs than the configured zone can handle, excess requests may not be tracked, leading to unintended access.
2. Granularity of Rate Limiting: The rate limiting applies at the level of the defined zone. If you have multiple applications or services running on the same server, they will share the same limits unless separate zones are defined. This can lead to unfair limitations on some services if not configured properly.
3. Bursting Behavior: The burst parameter allows for short spikes in traffic, but it can also lead to a surge in requests that exceed the defined rate. If not managed carefully, this can temporarily overwhelm your resources, especially if combined with other traffic spikes.
4. Logging and Monitoring: By default, Nginx returns a 429 status code for rate-limited requests. It is crucial to log these events to a custom file for monitoring and analysis. This data can be invaluable for adjusting your rate limits and understanding traffic patterns.
In summary, while rate limiting is essential for protecting your Nginx server, it requires careful consideration and ongoing management to ensure optimal performance and security.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freePer IP is faster (binary_remote_addr in the key). Per user — after auth via $cookie_session or $jwt_claim.
Behind a CDN — real_ip_header + set_real_ip_from. Otherwise every request gets banned on the CDN IP.
CF / WAF — L7 DDoS protection (10k+ RPS). nginx limit_req — local fair-use + slow-brute protection.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.