Whitelisting Req/Conn Limiting


I’m want to limit req/connections but have certain requests skip or
whitelisted from the throttling. I’ve found some prior threads that got
this, which I think is working. Here’s just the relevant config. Is
the best/correct way to do this? And if so I don’t really understand
1 “” part of the map block. Can someone explain that? The map docs
(http://nginx.org/en/docs/http/ngx_http_map_module.html#map) aren’t
me figure it out. Thanks!

http {
map $whitelist $limit {
default $binary_remote_addr;
1 “”;

limit_conn_zone $limit zone=conn_limit_per_ip:10m;
limit_req_zone $limit zone=req_limit_per_ip:10m rate=5r/s;

server {
  set $whitelist "";
  if ( $hostname = some_url.com ) {
    set $whitelist 1;

  limit_conn conn_limit_per_ip 10;
  limit_req zone=req_limit_per_ip burst=30 nodelay;


Posted at Nginx Forum:

Gist for easier reading

Posted at Nginx Forum:

1°) To me, the map docs are fairly clear…
In short, the map directive works as follow:

map $foo $bar {
“test1” “value1”


Whenever the value in $foo matches a value of the first column, $bar
be set to the value of the second column, ie:
if $foo = “test1”, then $bar <- “value1”

If $foo matches nothing, then either:

  • there is a special value default in the first column, thus $bar will
    beset to the corresponding value
  • there is no default value, $bar will be set to an empty string

2°) Now for the best way to write that, here are my thoughts:

Considering that:

  • all servers share ‘limit_conn_zone’ and ‘limit_req_zone usage’, except
    for some hostname
  • the ‘if’ directive must be avoided as much as possible
  • ‘limit_conn_zone’ and ‘limit_req_zone’ work in ‘http’ context

I would try the following:

  • put the ‘limit_*_zone’ directives at ‘http’ level, next to the ‘map’
  • use ‘server_name’ in ‘server’ blocks to serve different hostnames
  • put ‘set whitelist 1’ in all whitelisted ‘server’ blocks
  • if necessary (unsure), put ‘set whitelist “”’ at ‘http’ level

B. R.

Thanks for the reply

  1. Your explanation clarified my misunderstanding, much appreciated.

  2. Your suggestion would make a lot of sense. But after reading your
    response, I realized I wrote the check wrong in my example. I’m trying
    whitelist an inbound request from a specific server, not one that Nginx
    serving. Instead of $hostname I should be using $remote_addr and the IP
    the remote server I’m attempting to whitelist from the throttling. i.e.

if ( $remote_addr = XX.XXX.XXX.XXX ) {
set $whitelist 1;

Posted at Nginx Forum:

I am glad my explanations were clear enough, though I doubt I said more
than the docs which, again, seem pretty clear to me.
You could make suggestions on how to improve the docs by quoting what
think would gain to be rephrased better.

Based on my previous advice, you already know that using ‘if’ is
and recommended.
What do you think you could change to match your new needs?
At which level does the check should be done?
How to use variables to make only targeted environments affected by you
contional statement?

You could search archives of the ML on the forum you are using since map
configuration are a recurring question, and your use case has been
addressed multiple times in the past.

To increase your chances to gain help, please provide:

  • details on the process you followed
  • relevant bits of the configuration you achieved which bother you
  • intel about searches/thinking you made
  • precise questions/wondering you have

B. R.