Restricting Access to Proxied HTTP Resources

This section explains how to restrict access to a website or parts of it (allowing access only to specific IP addresses or to authenticated users), how to limit access, and how to set the maximum number of requests for a connection (or the maximum rate of downloading content from the server).

In This Section

• Restricting Access
• Limiting the Number of Connections, Request Rate, Bandwidth

Restricting Access

Access can be allowed or denied based on the IP address of a client or by using HTTP basic authentication.

To allow or deny access from a certain set of addresses, or all addresses, use the allow and deny directives:

location / {
    deny  192.168.1.2;
    allow 192.168.1.1/24;
    allow 127.0.0.1;
    deny  all;
}

To enable authentication, use the auth_basic directive. Users then must enter their valid username and password to get access to the website. The usernames and passwords must be listed in the file that is named in the auth_basic_user_file directive.

server {
    ...
    auth_basic "closed website";
    auth_basic_user_file conf/htpasswd;
}

You can make some areas of a website available without authentication even when you require authentication for the website as a whole. In the configuration block for the non-authentication area, include the off parameter auth_basic directive with the parameter cancels the setting inherited from the outer configuration level. For example, access to the whole site can be limited, but some locations can be publicly available:

server {
    ...
    auth_basic "closed website";
    auth_basic_user_file conf/htpasswd;

    location /public/ {
        auth_basic off;
    }
}

To combine restriction by IP address and authentication, use the satisfy directive. By default, it is set to all, so a client should satisfy both types of conditions to be granted access. When the satisfy directive is set to any, access is granted if at least one condition is satisfied. Thus, an unauthenticated user gets access if its IP address is among the allowed IP addresses. Otherwise users from IP addresses to which access is denied can access the website only if they enter valid usernames and passwords. The example below shows how to combine the two methods of restricting access to a location:

location / {
    satisfy any;

    allow 192.168.1.0/24;
    deny  all;

    auth_basic           "closed site";
    auth_basic_user_file conf/htpasswd;
}

Limiting Access

It is possible to limit:

• The number of connections per key value (for example, per IP address)
• The request rate per key value (the number of requests that are allowed to be processed during a second or minute)
• The download speed for a connection

Note that IP addresses can be shared behind NAT devices, so limiting by IP address should be used judiciously.

Limiting the Number of Connections

To limit the number of connections, first use the limit_conn_zone directive to define the key and set the parameters of the shared memory zone (the worker processes will use this zone to share counters for key values). As the first parameter, specify the expression evaluated as a key. In the second parameter zone, specify the name of the zone and its size.

limit_conn_zone $binary_remote_address zone=addr:10m;

Second, use the limit_conn directive to apply the limit within a location, a virtual server, or the whole http context. Specify the name of the shared memory zone as the first parameter, and the number of allowed connection per key as the second.

location /download/ {
    limit_conn addr 1;
}

Here, the number of connections is limited on an IP address basis because the $binary_remote_address variable is used as a key. The number of connections for a given server can be limited by using the $server_name variable:

http {
    limit_conn_zone $server_name zone=servers:10m;

    server {
        limit_conn servers 1000;
    }
}

Limiting the Request Rate

To limit the request rate, first set up the key and the shared memory zone to keep the counters by using the limit_req_zone directive.

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

The key is specified in the same manner as for limit_conn_zone. The rate parameter can be specified in requests per second (r/s) or requests per minute (r/m). The latter is used to specify a rate less than one request per second. For example, to get the rate of half of a request per second set the parameter to 30r/m.

Once the shared memory zone is defined, use the limit_req directive in a virtual server or a location (or globally, if required) to limit the request rate:

location /search/ {
    limit_req zone=one burst=5;
}

Here, NGINX will process no more than one request a second in this location. If the rate is exceeded the requests above the limit are put into a queue and processing is delayed in such a way that the overall rate is not greater than specified. The burst parameter sets the maximum number of requests that await to be processed. For requests above the burst limit NGINX will respond with a 503 error.

If delaying is not desired during a burst, add the nodelay parameter.

limit_req zone=one burst=5 nodelay;

Limiting the Bandwidth

To limit the bandwidth per connection, use the limit_rate directive:

location /download/ {
    limit_rate 50k;
}

With this setting a client will be able to download content through a single connection at a maximum speed of 50 kilobytes per second. However, the client can open several connections. So if the goal is to prevent a speed of downloading greater than the specified value, the number of connections should also be limited. For example, one connection per IP address (if the shared memory zone specified above is used):

location /download/ {
    limit_conn addr 1;
    limit_rate 50k;
}

To impose the limit only after the client downloads a certain amount of data, use the limit_rate_after directive. It may be reasonable to allow a client to quickly download a certain amount of data (for example, a file header — film index) and limit the rate for downloading the rest of the data (to make users watch a film, not download).

limit_rate_after 500k;
limit_rate 20k;

The following example shows the combined configuration for limiting the number of connections and the bandwidth. The maximum allowed number of connections is set to 5 connections per client address, which fits most common cases since modern browsers typically open up to 3 connections at a time. Meanwhile the location that serves downloads allows only one connection:

http {
    limit_conn_zone $binary_remote_address zone=addr:10m

    server {
        root /www/data;
        limit_conn addr 5;

        location / {
        }

        location /download/ {
            limit_conn addr 1;
            limit_rate 1m;
            limit_rate 50k;
        }
    }
}