Nginx Rate Limiting on OpenBSD 7.5
Rate limiting protects your application from abuse and DDoS attacks.
Step 1 – Define a limit zone in http context
Edit /etc/nginx/nginx.conf:
http {
# Allow 10 requests/second per IP; burst up to 20
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
...
}Step 2 – Apply the limit to a location
server {
...
location /api/ {
limit_req zone=api_limit burst=20 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
location /login {
limit_req zone=login_limit burst=3;
limit_req_status 429;
proxy_pass http://backend;
}
}Step 3 – Return a custom 429 error page
error_page 429 /429.html;
location = /429.html {
root /var/www/html;
internal;
}Step 4 – Reload Nginx
nginx -t && systemctl reload nginxMonitoring rate-limit hits
grep '429' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20