How to use rate limiting with nginx-proxy?

[slidenerd]

• There seems to be no documentation whatsoever on how to rate limit using nginx-proxy which I assume has to be a very common use case
• Before you point out, yes I have read the custom vhost.d section and am still not clear about many things
• This is my generated nginx configuration currently that doesn't have rate limiting set
• Let's say I wanted to add the following rate limiter

http {
    # ...
 
    limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
    limit_req_zone $binary_remote_addr zone=req_zone_wl:10m rate=15r/s;
 
    server {
        # ...
        location / {
            limit_req zone=req_zone burst=10 nodelay;
            limit_req zone=req_zone_wl burst=20 nodelay;
            # ...
        }
    }
}

• What exactly am I supposed to add inside the vhost.d directory?
• Does it append or overwrite the entire server configuration when you place the limit_req_zone inside?
• Can someone kindly shed some light on this?

[SchoNie]

It helps if you include your docker-compose config. So I can help you with the adjustments needed.
But basically it requires you to map an additional file at /etc/nginx/conf.d in the container. Nginx loads all files ending in .conf in that folder.
In that file, lets call it: ratelimit.conf you can add:

limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=req_zone_wl:10m rate=15r/s;

That file will be included at http directive level. So the first part of your limit_req_zone is tackled.

To add the ratelimit in the location part, you can read: Per-VIRTUAL_HOST location configuration

It requires you to add a configuration file to /etc/nginx/vhost.d with a specific pattern. For example if your virtual_host is app.example.com the file should be named app.example.com_location

And that file should contain the location limit_req stuff:

limit_req zone=req_zone burst=10 nodelay;
limit_req zone=req_zone_wl burst=20 nodelay;

This file will be included (so appended) in the location block.

[amanank]

This is resulting in errors

forego     | starting dockergen.1 on port 5000
forego     | starting nginx.1 on port 5100
nginx.1    | nginx: [emerg] unknown "limit_key" variable

don't we need the ngx_http_limit_req_module?

I can't see it when I run
nginx -V

nginx version: nginx/1.19.3
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.19.3/debian/debuild-base/nginx-1.19.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

[SchoNie]

ngx_http_limit_req_module is part of the Nginx core. No need to build it. (See: --without-http_limit_req_module enabled by default, but you can set a flag to disable it in build)

You are running Nginx 1.19.3 which is dated 29 Sep 2020 and a lot of important security fixes have been implemented. I strongly recommend updating. (and maybe in your version the ngx_http_limit_req_module is missing, I don't know.)

The error you are seeing seems correct: limit_key is not a known variable. Check Module ngx_http_limit_req_module documentation. Do you mean limit_req or limit_req_zone ?

[amanank]

Thanks, I'll try updating to latest version and see if it resolved the issue

I assumed it was complaining about $limit_key in the configuration you posted on your previous comment:

limit_req_zone $limit_key zone=req_zone:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=req_zone_wl:10m rate=15r/s;

[SchoNie]

Ah yes, but my example was specific for Slidenerd (the opener of this discussion). That user already specified that key in it's post and I adjusted the example accordingly. In your case $limit_key is probably not defined. Sorry for that.

You could read Rate Limiting with NGINX and NGINX Plus which shows better configuration examples for you from scratch.

The key defines the request characteristic against which the limit is applied
So in your case you can replace $limit_key by $binary_remote_addr.

[slidenerd]

Apologies @SchoNie this is my docker-compose.yml file

version: '3.9' # optional since v1.27.0
name: ch_api_prod
services:
  ch_api_pro_acme_companion:
    container_name: ch_api_pro_acme_companion
    depends_on:
      - ch_api_pro_docker_gen
      - ch_api_pro_nginx_proxy
    image: nginxproxy/acme-companion
    logging:
      driver: awslogs
      options:
        awslogs-region: us-east-1
        awslogs-group: ch-api-group
        awslogs-stream: ch-api-acme-companion-docker-gen-stream
    networks:
      - network
    restart: always
    volumes:
      - nginx_certs:/etc/nginx/certs:rw
      - acme_script:/etc/acme.sh
      - /var/run/docker.sock:/var/run/docker.sock:ro
    volumes_from:
      - ch_api_pro_nginx_proxy

  ch_api_pro_docker_gen:
    command: -notify-sighup ch_api_pro_nginx_proxy -watch /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf
    container_name: ch_api_pro_docker_gen
    image: jwilder/docker-gen
    labels:
      - 'com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen'
    logging:
      driver: awslogs
      options:
        awslogs-region: us-east-1
        awslogs-group: ch-api-group
        awslogs-stream: ch-api-acme-companion-docker-gen-stream
    networks:
      - network
    restart: always
    volumes:
      - /home/ec2-user/api/docker/production/nginx_server/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro
      - /var/run/docker.sock:/tmp/docker.sock:ro
    volumes_from:
      - ch_api_pro_nginx_proxy

  ch_api_pro_nginx_proxy:
    container_name: ch_api_pro_nginx_proxy
    image: nginx:1.23.4-bullseye
    labels:
      - 'com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy'
    logging:
      driver: awslogs
      options:
        awslogs-region: us-east-1
        awslogs-group: ch-api-group
        awslogs-stream: ch-api-nginx-proxy-stream
    networks:
      - network
    ports:
      - '80:80'
      - '443:443'
    restart: always
    volumes:
      - nginx_conf:/etc/nginx/conf.d
      - nginx_vhost:/etc/nginx/vhost.d
      - nginx_html:/usr/share/nginx/html
      - nginx_certs:/etc/nginx/certs:ro

  ch_api_pro_node:
    build:
      context: ../../
      dockerfile: ./docker/production/node_server/Dockerfile
    container_name: ch_api_pro_node
    environment:
      - ACME_OCSP=true
      - DEBUG=1
      - DEFAULT_EMAIL=ch@gmail.com
      - LETSENCRYPT_EMAIL=ch@gmail.com
      - LETSENCRYPT_HOST=api.ch.com,www.api.ch.com
      # Set this variable to request dummy certificates
      # - LETSENCRYPT_TEST=true
      - VIRTUAL_HOST=api.ch.com,www.api.ch.com
      - VIRTUAL_PORT=21347
    env_file:
      - .env
    image: ch_api_pro_node_image
    logging:
      driver: awslogs
      options:
        awslogs-region: us-east-1
        awslogs-group: ch-api-group
        awslogs-stream: ch-api-node-stream
    networks:
      - network
    restart: 'always'
    ports:
      - '21347:21347'
    volumes:
      - postgres_certs:/certs/postgres

networks:
  network:
    driver: bridge

volumes:
  acme_script:
    driver: local
  nginx_certs:
    driver: local
  nginx_conf:
    driver: local
  nginx_html:
    driver: local
  nginx_vhost:
    driver: local
  postgres_certs:
    driver_opts:
      type: none
      device: /home/ec2-user/api/docker/production/postgres_server_certs
      o: bind
  postgres_data:
    driver: local
  redis_data:
    driver: local

[buchdag]

@slidenerd have you tried what @SchoNie suggested ?

[slidenerd]

hey sorry havent tested yet, my repo has some issues and am working on fixing those, rest assured will come back and update here when done (est time 3-4 weeks more)