nginx rate limting /login/

Mouth

Well-known member
Is anyone rate limiting /login/ access with nginx and limit_req_zone?

My nginx http section contains;
Code:
limit_req_zone $binary_remote_addr zone=xf-login:10m rate=3r/m;
And my server section contains;
Code:
location = /login/ {
  limit_req zone=xf-login burst=3 nodelay;
}
But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?
 

Xon

Well-known member
But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?
FYI, but this is a bit too general. Normal users will hit "/login/csrf-token-refresh" fairly often.

For example; I have the following to block
Code:
    location = /login/csrf-token-refresh {
        include common.d/blockips.conf;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }

    location /login/login {
        include common.d/blockips_reg.conf;
        limit_req zone=register burst=5;
        limit_req_log_level info;
        limit_req_status 429;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }
...
common.d/blockips_reg.conf includes common.d/blockips.conf, and is a bunch of IP's blacklisted from the site or signing up/registering.

common.d/invoke_index.conf looks like:
Code:
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
This basically uses XF's index.php to handle the request without requiring a rewrite lookup.

The 429 return code causes nginx to simply hangup and not even return anything.
 

Mouth

Well-known member
For example; I have the following to block
Thanks, quite helpful.

What have you used for your register zone definition?

The 429 return code causes nginx to simply hangup and not even return anything.
You've patched nginx? I thought it returned a 'too many requests' respond for 429, as default.
 

Xon

Well-known member
Thanks, quite helpful.

What have you used for your register zone definition?
It is fairly standard stuff, nothing complex compared to the location bits.

You've patched nginx? I thought it returned a 'too many requests' respond for 429, as default.
Derp sorry, confusing it with 444, I've got 429 setup to server a static file.
 
Top