Want more timely Centmin Mod News Updates?
Become a Member

nginx rate limiting only on "GET /" requests ?

Discussion in 'System Administration' started by Rake-GH, Feb 23, 2020.

  1. Rake-GH

    Rake-GH Active Member

    150
    78
    28
    Jul 29, 2019
    USA
    Ratings:
    +116
    Local Time:
    10:57 AM
    default
    default
    I don't need to rate limit the entire site, I just want to rate limit this exact request:

    GET / HTTP/1.1

    Why? Because this is the only request used in DDOS against my site.

    I'm reading up on NGINX Rate Limiting but I haven't figured out how to define this exact request yet

    Any help would be much appreciated
     
  2. Rake-GH

    Rake-GH Active Member

    150
    78
    28
    Jul 29, 2019
    USA
    Ratings:
    +116
    Local Time:
    10:57 AM
    default
    default
    I figured out the location for that exact query is defined like so:

    Code:
    location = / {
    
    }
    so I got this in global above everything else:

    Code:
    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=30r/m;
    and then I have this above my main location / block :

    Code:
    location = / {
    
    #limit_req zone=mylimit;
    
    }
    Seems to work fine, any recommendations or corrections?
     
    Last edited: Feb 23, 2020
  3. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    1:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    that is usually how you do it so you can have finer grain control over which url paths you rate limit. It's what I do for my forums here as well i.e. search, recent posts, users online, threads, contact us, login all have separate Centmin Mod nginx level rate limits combined with Cloudflare rate limits for some too.

    see
     
  4. Rake-GH

    Rake-GH Active Member

    150
    78
    28
    Jul 29, 2019
    USA
    Ratings:
    +116
    Local Time:
    10:57 AM
    default
    default
    Thanks, this is what I'm using now:

    Code:
    limit_req_zone $binary_remote_addr zone=homepage:10m rate=20r/m;
    limit_req_zone $binary_remote_addr zone=domain:10m rate=200r/m;
    
    location = / {
    
    limit_req zone=homepage burst=40;
    
    }
    
    location / {
    limit_req zone=gh burst=400 nodelay;
    # all the normal stuff
    }
    
    I got ddosed twice since setting this up and it blocked both of them, it had no effect, yay
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,633
    10,356
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,070
    Local Time:
    1:57 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Glad to hear :D
     
  6. Rake-GH

    Rake-GH Active Member

    150
    78
    28
    Jul 29, 2019
    USA
    Ratings:
    +116
    Local Time:
    10:57 AM
    default
    default
    been ddosed 8 times times now since implementing this and they got rate limited every time and had no effect. I also have a neat cloudflare shell script I'm working on to automate under attack mode under high CPU load, will share when it's finished
     
  7. pamamolf

    pamamolf Premium Member Premium Member

    3,883
    381
    83
    May 31, 2014
    Ratings:
    +741
    Local Time:
    5:57 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    So you are limiting only requests and not connections?
     
  8. Rake-GH

    Rake-GH Active Member

    150
    78
    28
    Jul 29, 2019
    USA
    Ratings:
    +116
    Local Time:
    10:57 AM
    default
    default
    Correct, I'm still a nginx noob so I'm figuring it out one piece at a time