Welcome! Log In Create A New Profile

Advanced

[nginx] Using User-Agent & IP address to rate limit

Previous Message Next Message
Forum List Message List New Topic Print View
lorenanicole
July 28, 2014 11:35AM
Nginx novice here - after spending some time both here, reading through other community forums, and trial and error I'm looking for confirmation on my current Nginx config and/or suggestions on a better Nginx config. The end goal is to use both the IP address and User-Agent to rate limit requests being proxied to an external API. Currently the config sets zones with their respective rate limits and bursts using the IP address as the key. Inside the main location directive the User-Agent is read and based on the User-Agent the URI is rewritten to the location with the appropriate zone.

http {
include mime.types;
default_type application/octet-stream;

limit_req_zone $binary_remote_addr zone=one:10m rate=136r/s;
limit_req_zone $binary_remote_addr zone=two:10m rate=150r/s;
limit_req_zone $binary_remote_addr zone=three:10m rate=160r/s;
limit_req_zone $binary_remote_addr zone=four:10m rate=30r/m;

sendfile on;

keepalive_timeout 65;

server {
listen 443;
server_name localhost;

ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

proxy_ssl_session_reuse off;
large_client_header_buffers 4 32K;

location /java {
limit_req zone=one burst=140;

log_format java '$remote_addr - $remote_user [$time_local]' '"$request" | STATUS: $status | BODY BYTES: $body_bytes_sent |' '"$http_referer" "$http_user_agent"| GET PARAMS: $args | REQ BODY: $request_body';
access_log /var/log/nginx-access.log java;
proxy_pass https://example.com/;

}

location /python {
limit_req zone=two burst=140;
#echo "You made it here with: " $request_body "and this: " $args "and this: " $uri "and this: " $1;

log_format python '$remote_addr - $remote_user [$time_local]' '"$request" | STATUS: $status | BODY BYTES: $body_bytes_sent |' '"$http_referer" "$http_user_agent"| GET PARAMS: $args | REQ BODY: $request_body';
access_log /var/log/nginx-access.log python;
proxy_pass https://example.com/;
}

location /etc {
limit_req zone=four burst=1;

log_format etc '$remote_addr - $remote_user [$time_local]' '"$request" | STATUS: $status | BODY BYTES: $body_bytes_sent |' '"$http_referer" "$http_user_agent"| GET PARAMS: $args | REQ BODY: $request_body';
access_log /var/log/nginx-access.log etc;
proxy_pass https://example.com/;
}

location / {
root html;
index index.html index.htm;

if ($http_user_agent = Java/1.6.0_65) {
rewrite ^(.*)$ /java$uri last;
}

if ($http_user_agent = python) {
rewrite ^(.*)$ /python$uri last;
}

if ($http_user_agent = "") {
rewrite ^(.*)$ /etc$uri last;
}

}

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

}
}

The concern here is if there is a way to redirect the rewritten uri without having to break out and start processing the request again (argument last)? Additionally, is the setting of zone's using the IP address as the key the proper way to control these different rate limiting and burst thresholds?
Reply Quote
RSS
Subject Author Posted

[nginx] Using User-Agent & IP address to rate limit

lorenanicole July 28, 2014 11:35AM

Re: [nginx] Using User-Agent & IP address to rate limit

B.R. July 28, 2014 12:18PM

Re: [nginx] Using User-Agent & IP address to rate limit

lorenanicole July 28, 2014 12:43PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 308
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready