bashintermediate

Nginx Rate Limiting Configuration

Nginx rate limiting with multiple zones for API and login routes, burst handling, and custom error pages.

bashPress ⌘/Ctrl + Shift + C to copy

# /etc/nginx/conf.d/rate-limit.conf

# Define rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;

# Custom error page for rate limiting
limit_req_status 429;

server {
    listen 80;
    server_name example.com;

    # General pages
    location / {
        limit_req zone=general burst=20 nodelay;
        proxy_pass http://backend;
    }

    # API endpoints — higher limit with burst
    location /api/ {
        limit_req zone=api burst=50 delay=30;
        proxy_pass http://backend;
    }

    # Login — strict limit to prevent brute force
    location /api/auth/login {
        limit_req zone=login burst=3 nodelay;
        proxy_pass http://backend;
    }

    # Whitelist internal monitoring
    location /health {
        limit_req off;
        proxy_pass http://backend;
    }

    error_page 429 /429.html;
    location = /429.html {
        root /usr/share/nginx/html;
        internal;
    }
}