This section explains how to set the maximum number of requests for a connection, or the maximum rate of downloading content from the server.

In This Section

Introduction

Using NGINX and NGINX Plus, it is possible to limit:

  • The number of connections per key value (for example, per IP address)
  • The request rate per key value (the number of requests that are allowed to be processed during a second or minute)
  • The download speed for a connection

Note that IP addresses can be shared behind NAT devices, so limiting by IP address should be used judiciously.

Limiting the Number of Connections

To limit the number of connections, first, use the limit_conn_zone directive to define the key and set the parameters of the shared memory zone (the worker processes will use this zone to share counters for key values). As the first parameter, specify the expression evaluated as a key. In the second parameter zone, specify the name of the zone and its size.

limit_conn_zone $binary_remote_address zone=addr:10m;

Second, use the limit_conn directive to apply the limit within a location, a virtual server, or the whole http context. Specify the name of the shared memory zone as the first parameter, and the number of allowed connection per key as the second.

location /download/ {
    limit_conn addr 1;
}

Here, the number of connections is limited on an IP address basis because the $binary_remote_address variable is used as a key. The number of connections for a given server can be limited by using the $server_name variable:

http {
    limit_conn_zone $server_name zone=servers:10m;

    server {
        limit_conn servers 1000;
    }
}

Limiting the Request Rate

To limit the request rate, first, set up the key and the shared memory zone to keep the counters by using the limit_req_zone directive.

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

The key is specified in the same manner as for limit_conn_zone. The rate parameter can be specified in requests per second (r/s) or requests per minute (r/m). The latter is used to specify a rate less than one request per second. For example, to get the rate of half of a request per second set the parameter to 30r/m.

Once the shared memory zone is defined, use the limit_req directive in a virtual server or a location (or globally, if required) to limit the request rate:

location /search/ {
    limit_req zone=one burst=5;
}

Here, NGINX will process no more than one request a second in this location. If the rate is exceeded the requests above the limit are put into a queue and processing is delayed in such a way that the overall rate is not greater than specified. The burst parameter sets the maximum number of requests that await to be processed. For requests above the burst limit NGINX will respond with a 503 error.

If delaying is not desired during a burst, add the nodelay parameter.

limit_req zone=one burst=5 nodelay;

Limiting the Bandwidth

To limit the bandwidth per connection, use the limit_rate directive:

location /download/ {
    limit_rate 50k;
}

With this setting a client will be able to download content through a single connection at a maximum speed of 50 kilobytes per second. However, the client can open several connections. So if the goal is to prevent a speed of downloading greater than the specified value, the number of connections should also be limited. For example, one connection per IP address (if the shared memory zone specified above is used):

location /download/ {
    limit_conn addr 1;
    limit_rate 50k;
}

To impose the limit only after the client downloads a certain amount of data, use the limit_rate_after directive. It may be reasonable to allow a client to quickly download a certain amount of data (for example, a file header — film index) and limit the rate for downloading the rest of the data (to make users watch a film, not download).

limit_rate_after 500k;
limit_rate 20k;

The following example shows the combined configuration for limiting the number of connections and the bandwidth. The maximum allowed number of connections is set to 5 connections per client address, which fits most common cases since modern browsers typically open up to 3 connections at a time. Meanwhile the location that serves downloads allows only one connection:

http {
    limit_conn_zone $binary_remote_address zone=addr:10m

    server {
        root /www/data;
        limit_conn addr 5;

        location / {
        }

        location /download/ {
            limit_conn addr 1;
            limit_rate 1m;
            limit_rate 50k;
        }
    }
}