0
0
NginxHow-ToBeginner · 4 min read

How to Use limit_req in Nginx for Rate Limiting

Use limit_req_zone to define a shared memory zone and request rate, then apply limit_req inside a server or location block to limit request processing speed. This helps control traffic bursts by delaying or rejecting excessive requests.
📐

Syntax

The limit_req_zone directive defines a shared memory zone to track request rates by a key like client IP. The limit_req directive applies the rate limit to a location or server block using the defined zone.

  • limit_req_zone $binary_remote_addr zone=name:size rate=rate; - sets the key, zone name, memory size, and request rate.
  • limit_req zone=name [burst=number] [nodelay]; - applies the limit with optional burst and delay settings.
nginx
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;

server {
    location / {
        limit_req zone=mylimit burst=10 nodelay;
        proxy_pass http://backend;
    }
}
💻

Example

This example limits each client IP to 5 requests per second with a burst of 10 requests allowed instantly without delay. Excess requests are delayed or rejected to protect the server from overload.

nginx
http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;

    server {
        listen 80;

        location / {
            limit_req zone=one burst=10 nodelay;
            return 200 'Request allowed';
        }
    }
}
Output
When a client sends requests faster than 5 per second, up to 10 extra requests are allowed immediately (burst). Requests beyond that are delayed or rejected with 503 errors.
⚠️

Common Pitfalls

  • Not defining limit_req_zone before using limit_req causes configuration errors.
  • Setting too low a rate or burst can block legitimate traffic.
  • Omitting nodelay causes excess requests to be delayed instead of rejected, which may cause slow responses.
  • Using $remote_addr instead of $binary_remote_addr uses more memory and is slower.
nginx
## Wrong: missing limit_req_zone
server {
    location / {
        limit_req zone=one burst=5;
    }
}

## Right:
limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
server {
    location / {
        limit_req zone=one burst=5 nodelay;
    }
}
📊

Quick Reference

DirectivePurposeExample
limit_req_zoneDefine rate limit zone and keylimit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
limit_reqApply rate limit in location/serverlimit_req zone=one burst=10 nodelay;
burstAllow extra requests above rateburst=10
nodelaySend excess requests immediately or delaynodelay

Key Takeaways

Define a shared zone with limit_req_zone before applying limit_req.
Use $binary_remote_addr as the key for efficient memory use.
Set rate and burst values to balance protection and user experience.
Use nodelay to reject excess requests immediately instead of delaying.
Test your configuration to avoid blocking legitimate traffic.

Related by keyword

How to Start Nginx: Simple Commands to Run Nginx ServerGetting StartedWhat is nginx.conf: Understanding NGINX Configuration FileGetting StartedWhere is Nginx Config File Located? Find nginx.conf EasilyGetting StartedHow to Check Nginx Status: Simple Commands and ExamplesGetting StartedHow to Check Nginx Version Quickly and EasilyGetting Started

Up next

How to Set gzip_types in Nginx for CompressionRoot vs Alias in Nginx: Key Differences and UsageHow to Configure Logging in Nginx: Syntax and ExamplesDisable Logging for Specific Path in Nginx: Simple Guide

More in Security

How to Allow Specific IP in Nginx: Simple GuideHow to Block IP Address in Nginx: Simple GuideHow to Block Referrer Spam in Nginx: Simple GuideHow to Block User Agent in Nginx: Simple Guide