Reputation: 3276
Use NGINX Rate Limiting with tokens
I need to limit access to our API to 10 requests / second.
This is the zone I'm using based on their documentation:
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
This zone uses the user IP address as identification to rate the usage limit. Often, people uses the same IP address to access our systems.
I'm wondering if it's possible to use the user tokenId as identification for the rate limit. All of our requests contains a tokenID parameter in the URL: www.example.com/api/events/?tokenID=*****.
Any clues?
Thanks.
UPDATE
I tried creating the zone:
limit_req_zone "$tokenid" zone=limit:10m rate=1r/s; (1 r/s for testing)
and extracting the $tokenid variable like this:
limit_req_zone "$tokenid" zone=limit:10m rate=1r/s;
server {
...
location ~ \.php {
...
if ($args ~* "tokenID=([^&]+)") {
set $tokenid "$1";
}
...
}
}
The variable $tokenid does contain the exact token (tested adding a header to the response), but it does not seem to update its value used by limit_req_zone.
Upvotes: 3
Views: 5069
Answers (1)
Reputation: 3276
The suggestion made by @TarunLalwani actually works.
I should use $arg_tokenID instead of extracting it from the URI and setting into a variable.
The final config file looks like this:
limit_req_zone "$arg_tokenID" zone=limit:10m rate=10r/s;
server {
...
limit_req zone=limit burst=10;
...
}
Upvotes: 6
Related Questions
- NGINX enable rate limiting only on successful requests
- Why Nginx rate limit is not rejecting exceeded requests?
- Nginx Rate limit GET or POST requests only at a location
- Laravel rate limit throttle for /oauth/token Passport endpoint
- Nginx: How to properly setup rate limiting?
- Rate Limiting on NGINX using POST args
- How to limit 1 request at a time per client?
- Nginx "auth_request" like option for rate limiting
- Nginx: dynamic rate limit
- Rate limit in nginx based on http header