• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

nginx rate limting /login/

Mouth

Well-known member
#1
Is anyone rate limiting /login/ access with nginx and limit_req_zone?

My nginx http section contains;
Code:
limit_req_zone $binary_remote_addr zone=xf-login:10m rate=3r/m;
And my server section contains;
Code:
location = /login/ {
  limit_req zone=xf-login burst=3 nodelay;
}
But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?
 

Xon

Well-known member
#4
But I feel the 3 requests per min, even with a burst rate of 3, is too inadequate for XF. Wondering what others are successfully using?
FYI, but this is a bit too general. Normal users will hit "/login/csrf-token-refresh" fairly often.

For example; I have the following to block
Code:
    location = /login/csrf-token-refresh {
        include common.d/blockips.conf;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }

    location /login/login {
        include common.d/blockips_reg.conf;
        limit_req zone=register burst=5;
        limit_req_log_level info;
        limit_req_status 429;
        include common.d/invoke_index.conf;
        fastcgi_pass forum-backend;
    }
...
common.d/blockips_reg.conf includes common.d/blockips.conf, and is a bunch of IP's blacklisted from the site or signing up/registering.

common.d/invoke_index.conf looks like:
Code:
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
This basically uses XF's index.php to handle the request without requiring a rewrite lookup.

The 429 return code causes nginx to simply hangup and not even return anything.
 

Xon

Well-known member
#7
Thanks, quite helpful.

What have you used for your register zone definition?
It is fairly standard stuff, nothing complex compared to the location bits.

You've patched nginx? I thought it returned a 'too many requests' respond for 429, as default.
Derp sorry, confusing it with 444, I've got 429 setup to server a static file.