Hi,
I'm wondering if there is a way to rate limit certain location but based on 2 rate limit zones. I use nginx as a reverse proxy to apache. Got some rate limiting rules setup to prevent apache from maxing the number of connections out.
The trouble is I want to rate limit location based on $host and $request_uri at the same time. That in effect will put one limit for the server globally and the second limit for the domain name hosted on the server only without affecting the rest.
Let's say I have got multiple Wordpress sites and I want to limit wp-comments.php to
$host 4r/s
and
$request_uri 100r/m
So I create 2 zones:
limit_req_zone $request_uri zone=one:10m rate=100r/m;
limit_req_zone $host zone=two:10m rate=4r/s;
Now location
location ~*/wp-comments.php {
include /etc/nginx/proxy.conf;
limit_req zone=one;
limit_req zone=two;
}
Everything is fine however... nginx is just rate limiting based on the projections. It doesn't use zone one if 100 requests have been exceeded per minute it does that if you MAY exeed 100 requests per minute from the algorythm calculations.
In the above example posting 5 requests at the same time will trigger the rule 100r/m. As at that point in time we had 5 requests per second what gives us a potential 300 requests per minute not 100. What I would like to see is if those 100 requests per minute have been reached in the time period of real minute - rate limit. Do not look at any projections or assumptions as this is wrong. In the situation when the server is under attack and you still want legitimate users be able to post comments it's not going to work.
Thank you!
I'm wondering if there is a way to rate limit certain location but based on 2 rate limit zones. I use nginx as a reverse proxy to apache. Got some rate limiting rules setup to prevent apache from maxing the number of connections out.
The trouble is I want to rate limit location based on $host and $request_uri at the same time. That in effect will put one limit for the server globally and the second limit for the domain name hosted on the server only without affecting the rest.
Let's say I have got multiple Wordpress sites and I want to limit wp-comments.php to
$host 4r/s
and
$request_uri 100r/m
So I create 2 zones:
limit_req_zone $request_uri zone=one:10m rate=100r/m;
limit_req_zone $host zone=two:10m rate=4r/s;
Now location
location ~*/wp-comments.php {
include /etc/nginx/proxy.conf;
limit_req zone=one;
limit_req zone=two;
}
Everything is fine however... nginx is just rate limiting based on the projections. It doesn't use zone one if 100 requests have been exceeded per minute it does that if you MAY exeed 100 requests per minute from the algorythm calculations.
In the above example posting 5 requests at the same time will trigger the rule 100r/m. As at that point in time we had 5 requests per second what gives us a potential 300 requests per minute not 100. What I would like to see is if those 100 requests per minute have been reached in the time period of real minute - rate limit. Do not look at any projections or assumptions as this is wrong. In the situation when the server is under attack and you still want legitimate users be able to post comments it's not going to work.
Thank you!