Module ngx_http_limit_req

Module ngx_http_limit_req_module

english
עברית
日本語
русский
türkçe

news

about
download
security advisories
documentation
introduction
pgp keys
howto
faq
trac
wiki
links
books
support
donation
nginx.com
@nginxorg

Example Configuration
Directives
     limit_req
     limit_req_log_level
     limit_req_zone

The ngx_http_limit_req_module module (0.7.21) allows to limit the number of requests per defined key, in particular, the number of requests from a single IP address. The limitation is done using the “leaky bucket” method.

Example Configuration

http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

    ...

    server {

        ...

        location /search/ {
            limit_req zone=one burst=5;
        }

Directives

syntax:	`limit_req zone=name [burst=number] [nodelay];`
default:	—
context:	`http`, `server`, `location`

Sets a zone and the maximum allowed burst of requests. If the rate of requests exceeds the rate configured for a zone, request processing is delayed such as that they are processed at a defined rate. Excessive requests are delayed until their number exceeds the defined number of bursts. In this case, the request is terminated with an error 503 (Service Temporarily Unavailable). By default, the number of bursts is equal to zero. For example, the directives

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {
    location /search/ {
        limit_req zone=one burst=5;
    }

allow not more than 1 request per second at an average, with bursts not exceeding 5 requests.

If delaying of excessive requests while requests are being limited is not desired, the parameter nodelay should be used:

limit_req zone=one burst=5 nodelay;

syntax:	`limit_req_log_level info \| notice \| warn \| error;`
default:	limit_req_log_level error;
context:	`http`, `server`, `location`

This directive appeared in version 0.8.18.

Sets the desired logging level for cases when the server limits the number of requests, or delays request processing. Delays are logged with the level one less than limits; for example, if “limit_req_log_level notice” is specified, delays are logged with the info level.

syntax:	`limit_req_zone $variable zone=name:size rate=rate;`
default:	—
context:	`http`

Sets the parameters for a zone that keeps states for various keys. This state stores the current number of requests in particular. The key is any non-empty value of the specified variable (empty values are not accounted). Example usage:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Here, the states are kept in a 10 megabyte zone “one”, and an average rate of requests for this zone cannot exceed 1 request per second.

An IP address of the client serves as a key. Note that instead of $remote_addr, the $binary_remote_addr variable is used here, allowing to lower the size of a state down to 64 bytes. One megabyte zone can keep about 16 thousand 64-byte states. If the storage for a zone is exhausted, the server will return error 503 (Service Temporarily Unavailable) to all further requests.

The rate is specified in requests per second (r/s). If a rate of less than one request per second is desired, it is specified in request per minute (r/m). For example, half-request per second is 30r/m.