Implementing Connection Rate Limiting in Nginx and Apache
Rate limiting is a critical defense mechanism for any Hovixa VPS. By restricting the number of requests or connections a single client (IP address) can make within a specific timeframe, you can mitigate Brute-force attacks, DDoS attempts, and Scraper bots that would otherwise exhaust your CPU and RAM. Below is the technical implementation for the two most common web servers.
1. Rate Limiting in Nginx
Nginx uses the ngx_http_limit_req_module to process requests. It utilizes the Leaky Bucket algorithm, where requests arrive at various rates but are processed at a steady, defined rate.
Implementation Steps:
- Define the Zone: Inside the
httpblock ofnginx.conf, define a shared memory zone to store states for IP addresses. - Apply to Location: Reference that zone within a specific
serverorlocationblock.
# 1. In the http block:
# Define a 10MB zone named 'mylimit' allowing 5 requests per second
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;
# 2. In the server/location block:
location /login/ {
limit_req zone=mylimit burst=10 nodelay;
proxy_pass http://my_app;
}
The burst parameter allows a client to exceed the rate temporarily (up to 10 requests), while nodelay ensures they aren't queued but processed immediately or rejected.
2. Rate Limiting in Apache
Apache provides rate limiting via the mod_ratelimit and mod_evasive modules. While mod_ratelimit manages bandwidth, mod_evasive is the primary tool for request-based limiting.
Configuring mod_evasive:
On a Hovixa VPS running Ubuntu/Debian, install the module first: sudo apt install libapache2-mod-evasive. Then edit the configuration file (usually /etc/apache2/mods-enabled/evasive.conf).
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
Key Directives:
- DOSPageCount: Max requests for a single page per interval.
- DOSSiteCount: Max total requests for the entire site per interval.
- DOSBlockingPeriod: How long (in seconds) the IP will be blocked if it hits the limit.
3. Performance and Error Handling
| Feature | Nginx | Apache |
|---|---|---|
| Default Error | 503 Service Unavailable | 403 Forbidden |
| Memory Usage | Extremely efficient (Shared memory zones) | Depends on Hash Table size |
| Granularity | High (Can limit by any variable) | Moderate (Typically IP-based) |
4. Technical Implementation Details
- Binary Remote Addr: In Nginx, using
$binary_remote_addrinstead of$remote_addrreduces the state size from ~64 bytes to 4 bytes for IPv4, allowing you to store much more data in a small memory zone. - Whitelisting: Always whitelist your own IP and monitoring services (e.g., UptimeRobot) to prevent accidental lockouts. In Nginx, this is done using the
geoandmapmodules. - Logging: Rate-limited requests are logged. In Nginx, use
limit_req_log_level warn;to track potential attacks without flooding your error logs.
Sysadmin Advice: Use **429 Too Many Requests** as your status code in Nginx (`limit_req_status 429;`). It is semantically more accurate than 503 and helps search engine crawlers understand that they should slow down rather than assuming the server is down.
