How to limit POST request per ip?

Detlef_R · April 5, 2014, 1:54pm

How to limit POST request per ip ?

Need some of:

limit_except POST {
limit_req zone=postlimit burst=10 nodelay;
}

Posted at Nginx Forum:

justcyber · April 6, 2014, 12:08am

Hello!

On Sat, Apr 05, 2014 at 07:54:21AM -0400, justcyber wrote:

How to limit POST request per ip ?

Need some of:

limit_except POST {

Just a side note: “limit_except POST” means the opposite to what
you ask above.

limit_req zone=postlimit burst=10 nodelay;

}

It is possible to limit only subset of requests by using
the fact that limit_req doesn’t limit anything if it’s
variable evaluates to an empty string, see
Module ngx_http_limit_req_module.

That is, instead of

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

we need something like

limit_req_zone $limit zone=one:10m rate=1r/s;

where the $limit variables is empty for non-POST requests (as we
don’t want to limit them), and evaluates to $binary_remote_addr
for POST requests. Such a variable can be easily constructed
using the map module (see Module ngx_http_map_module):

map $request_method $limit {
    default         "";
    POST            $binary_remote_addr;
}

–
Maxim D.
http://nginx.org/

justcyber · May 9, 2014, 6:23am

Hello!

On Tue, May 06, 2014 at 03:16:09PM -0700, Jeroen O. wrote:

A follow-up question: are requests that hit the cache counted in the
limit_req_zone? I would like to enforce a limit on the POST requests
that actually hit the back-end; I don’t mind additional requests that
hit the cache.

Limits are checked (and counted) before a request is passed to a
content handler, hence all requests are counted, both cached and
not. If you want to limit only requests which aren’t cached, you
may do so, e.g., by adding an additional proxy layer with
limit_req.

–
Maxim D.
http://nginx.org/

justcyber · May 7, 2014, 12:17am

On Sat, Apr 5, 2014 at 3:07 PM, Maxim D. [email protected] wrote:

we need something like
limit_req_zone $limit zone=one:10m rate=1r/s;
where the $limit variables is empty for non-POST requests (as we
don’t want to limit them), and evaluates to $binary_remote_addr
for POST requests.

A follow-up question: are requests that hit the cache counted in the
limit_req_zone? I would like to enforce a limit on the POST requests
that actually hit the back-end; I don’t mind additional requests that
hit the cache.