Nginxdevops~5 mins

limit_req_zone and limit_req in Nginx - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When many users visit a website at the same time, the server can get overwhelmed and slow down or crash. Nginx has tools called limit_req_zone and limit_req that help control how many requests each user can make in a short time. This keeps the server stable and fair for everyone.

When you want to stop one user from sending too many requests and slowing down your website.

When you want to protect your server from simple attacks that flood it with requests.

When you want to make sure your website stays fast even if many people visit at once.

When you want to limit API usage per user to avoid abuse.

When you want to control traffic from certain IP addresses to prevent overload.

Config File - nginx.conf

nginx.conf

http {
    # Define a shared memory zone named 'mylimit' to track requests by IP
    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;

    server {
        listen 80;
        server_name example.com;

        location / {
            # Apply the request limit using the 'mylimit' zone
            limit_req zone=mylimit burst=10 nodelay;

            # Usual proxy or root settings
            root /var/www/html;
            index index.html;
        }
    }
}

limit_req_zone defines a shared memory area named 'mylimit' that tracks requests per user IP address ($binary_remote_addr). It sets a limit of 5 requests per second.

limit_req applies this limit in the server's location block. The burst=10 allows short bursts of up to 10 extra requests, and nodelay makes Nginx delay excessive requests instead of rejecting them immediately.

Commands

Check the Nginx configuration file for syntax errors before applying changes.

Terminal

sudo nginx -t

Expected OutputExpected

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

Reload Nginx to apply the new rate limiting configuration without stopping the server.

Terminal

sudo systemctl reload nginx

Expected OutputExpected

No output (command runs silently)

Send a request to the server to verify it responds normally under the rate limit.

Terminal

curl -i http://localhost/

Expected OutputExpected

HTTP/1.1 200 OK Server: nginx Content-Type: text/html Content-Length: 612 Connection: keep-alive <!DOCTYPE html>...

Send 20 quick requests to test if Nginx limits requests and returns 503 status when limit is exceeded.

Terminal

for i in {1..20}; do curl -s -o /dev/null -w "%{http_code}\n" http://localhost/; done

Expected OutputExpected

200 200 200 200 200 200 200 200 200 200 503 503 503 503 503 503 503 503 503 503

Key Concept

If you remember nothing else from this pattern, remember: limit_req_zone sets the request rate limit, and limit_req enforces it per user to protect your server from overload.

Common Mistakes

Not defining limit_req_zone before using limit_req.

Nginx will fail to start or ignore the limit because the zone is missing.

Always define limit_req_zone in the http block before applying limit_req in server or location blocks.

Setting rate too low without burst, causing many 503 errors.

Users get blocked too quickly, harming user experience.

Use a reasonable rate and add burst to allow short spikes in traffic.

Using $remote_addr instead of $binary_remote_addr in limit_req_zone.

$remote_addr uses string IP which is slower and uses more memory.

Use $binary_remote_addr for better performance and less memory usage.

Summary

Define a shared memory zone with limit_req_zone to track request rates by IP.

Apply the rate limit in server or location blocks using limit_req with burst and nodelay options.

Test the configuration syntax and reload Nginx to apply changes safely.

Verify the limit works by sending multiple requests and observing 503 errors when exceeded.