dynamic_limit_req
The dynamic_limit_req directive controls the rate of incoming requests to prevent abuse by dynamically locking IPs based on their request patterns.
Description
The dynamic_limit_req directive is part of the ngx_dynamic_limit_req_module, used for managing request rates per IP address dynamically. This directive effectively mitigates potential abuses by defining a rate limit that will throttle requests exceeding a specified threshold. It maintains a shared memory zone to track state information, including the current count of excessive requests for different keys (e.g., IP addresses). When a request exceeds the defined rate of requests allowed, the module implements a delay on the excessive requests (if nodelay is not specified) which are held back before they're processed. If the number of excessive requests surpasses the burst threshold, they can also be rejected outright, resulting in a configured HTTP status code response, ensuring that only requests that comply with the defined limits are processed timely.
This directive supports three arguments: the specified shared memory zone, an optional burst parameter that dictates the maximum number of requests that can come in a burst, and optionally, a delay parameter that sets a specific delay for the handling of requests that exceed the rate limits. This flexibility allows complex rate limiting policies that can significantly enhance service availability while ensuring fairness among users.
Config Example
http {
dynamic_limit_req_zone $binary_remote_addr zone=my_limit:10m rate=5r/s;
server {
location /api {
dynamic_limit_req zone=my_limit burst=10;
}
}
}Ensure the specified shared memory zone has been defined using the dynamic_limit_req_zone directive.
Misconfiguration of the burst and rate can either lead to unnecessary throttling or insufficient protection from abusive behavior.
The delay settings may complicate request handling, possibly leading to increased latency for users if not monitored correctly.