[RATELIMITING] Do you expose an API through Nginx and you want | LinuxCheatSheet

[RATELIMITING] Do you expose an API through Nginx and you want to limit abuse or ratelimit it for of any reasons?
Try limit_req module http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
There is plenty of examples on how to implement it with $binary_remote_addr, that is, limit by remote IP address. This will equally distribute the traffic limit by incoming IP. But even more powerful is the possibility to replace $binary_remote_addr with virtually any variable that Nginx expose http://nginx.org/en/docs/varindex.html
I find especially useful to throttle by a particular HTTP header (look at var $http_ in doc), for example when the header exchanged with the application can identify an unique user, so that ratelimiting is splitted by user and not by remote ip address (that in some case, i.e. residential network connection, can be shared by more that one user).
It is very useful too when you combine ratelimiting with the URL of a login page to limit incoming password attempts (even before they are event sent to the underlying application, so preventing a bruteforce attack).
Check out the official documentation here: https://www.nginx.com/blog/rate-limiting-nginx/

I hope you like it! Share the channel with your friends: http://t.me/linuxcheatsheet
Bye
G.