0
0
Nginxdevops~10 mins

limit_req_zone and limit_req in Nginx - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - limit_req_zone and limit_req
Define limit_req_zone
Store request rate info
Incoming request
Check request rate
Allow request
Serve response
First, we define a zone to track request rates. Then each incoming request is checked against this zone. If the rate is within limits, the request proceeds; if not, it is delayed or rejected.
Execution Sample
Nginx
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s;

server {
  location /api/ {
    limit_req zone=mylimit burst=5 nodelay;
  }
}
This config limits requests from each IP to 1 request per second with a burst of 5 requests allowed immediately.
Process Table
StepRequest NumberClient IPCurrent Rate (r/s)ActionResult
11192.168.1.100.0AllowRequest served immediately
22192.168.1.101.0AllowRequest served immediately
33192.168.1.102.0Burst allowedRequest served immediately (burst)
44192.168.1.103.0Burst allowedRequest served immediately (burst)
55192.168.1.104.0Burst allowedRequest served immediately (burst)
66192.168.1.105.0Burst allowedRequest served immediately (burst)
77192.168.1.106.0Reject429 Too Many Requests
8110.0.0.50.0AllowRequest served immediately
💡 Request 7 from 192.168.1.10 exceeds burst limit, so it is rejected with 429 error.
Status Tracker
VariableStartAfter 1After 2After 3After 4After 5After 6After 7
Current Rate (r/s) for 192.168.1.100.01.02.03.04.05.06.06.0
Burst Used00123455
Key Moments - 3 Insights
Why are the first 6 requests allowed even though the rate exceeds 1r/s?
Because the 'burst=5' setting allows up to 5 extra requests to be served immediately beyond the rate limit, as shown in rows 3 to 6 of the execution_table.
What happens when the burst limit is exceeded?
The request is rejected with a 429 error, as seen in step 7 where the burst used reaches 5 and the next request is denied.
Why does the rate reset for a different IP address?
Because limit_req_zone tracks rates per client IP ($binary_remote_addr), so a new IP starts with zero rate, shown in step 8.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the action taken at request number 4 from IP 192.168.1.10?
AReject the request
BAllow the request immediately using burst
CDelay the request
DIgnore the request
💡 Hint
Check row 4 in the execution_table under 'Action' column.
At which request number does the client 192.168.1.10 get rejected due to exceeding limits?
A5
B6
C7
D8
💡 Hint
Look for the first 'Reject' action in the execution_table for 192.168.1.10.
If the 'burst' was set to 3 instead of 5, what would happen at request number 6?
ARequest 6 would be rejected
BRequest 6 would be delayed
CRequest 6 would be allowed immediately
DRequest 6 would be ignored
💡 Hint
Compare burst usage in variable_tracker and relate to burst limit.
Concept Snapshot
limit_req_zone defines a shared memory zone to track request rates by key (e.g., IP).
limit_req applies rate limiting using that zone in a location.
'burst' allows extra requests beyond the rate to be served immediately.
Requests exceeding burst are delayed or rejected (429).
Use to protect servers from too many requests quickly.
Full Transcript
This visual execution shows how nginx's limit_req_zone and limit_req work together to limit request rates per client IP. First, limit_req_zone defines a memory zone to track request rates keyed by client IP. Then, limit_req in a location uses that zone to check each incoming request. If the request rate is within the limit, the request is allowed immediately. If the rate exceeds the limit but is within the burst allowance, the request is still allowed immediately. Once the burst limit is exceeded, requests are rejected with a 429 error. Different client IPs have separate rate tracking. This protects the server from too many requests in a short time.