Web Servers & Reverse Proxies

Security & Rate Limiting

18 min Lesson 8 of 28

Security & Rate Limiting

A publicly exposed Nginx front-end is the first line of defense for everything behind it. No matter how hardened your application code is, a misconfigured web server leaks version strings to scanners, accepts unlimited request floods, and passes attacker-controlled headers straight to your backend. This lesson covers the four pillars that production teams at large-scale companies treat as non-negotiable: rate limiting, response header hardening, version/fingerprint suppression, and basic WAF-style filtering.

Rate Limiting with limit_req

Nginx implements the leaky-bucket algorithm via the ngx_http_limit_req_module (compiled in by default). You define a shared-memory zone that tracks request rates per key — almost always $binary_remote_addr (the client IP in binary form, 4 bytes per IPv4 address, 16 per IPv6, saving memory vs the string form).

The two directives that work together are:

  • limit_req_zone — declared in the http block, defines the key, zone name, shared memory size, and the target rate.
  • limit_req — applied inside a server or location block, activates the zone and optionally allows a burst queue and nodelay processing.
## /etc/nginx/nginx.conf (http block) http { # 10 MB zone holds ~160,000 IP states (each ~64 bytes) # Rate: 10 requests per second per IP limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; # Stricter zone for login/auth endpoints limit_req_zone $binary_remote_addr zone=login_limit:5m rate=1r/s; # Return 429 Too Many Requests instead of default 503 limit_req_status 429; # Log rejections at warn level only (avoids flooding error.log) limit_req_log_level warn; } ## /etc/nginx/sites-enabled/app.conf (server block) server { location /api/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://app_backend; } location /login { # burst=5: queue up to 5 extra requests # nodelay: serve burst immediately, still count against rate limit_req zone=login_limit burst=5 nodelay; proxy_pass http://app_backend; } }
burst vs nodelay: Without nodelay, burst requests are held in queue and drip out at the defined rate — this adds latency but is invisible to the client. With nodelay, burst requests are served immediately but consume burst slots; once the burst is exhausted, excess requests get a 429. Use nodelay for APIs where latency matters; omit it for rate-sensitive endpoints like auth where you actually want the delay.

In high-traffic deployments running behind a load balancer, $binary_remote_addr will be your LB's IP — every client looks the same. Use $http_x_forwarded_for or $http_x_real_ip instead, but only after validating trusted proxy IPs with set_real_ip_from and real_ip_header — otherwise any client can spoof the header and bypass rate limits entirely.

## Trust only your load balancer's subnet real_ip_header X-Forwarded-For; real_ip_recursive on; set_real_ip_from 10.0.0.0/8; ## Then key the zone on the real client IP limit_req_zone $remote_addr zone=real_api_limit:10m rate=10r/s;
Rate Limiting: leaky-bucket flow Burst of Requests Normal Client limit_req_zone Leaky Bucket Tracks rate / IP Shared memory within rate burst full 429 Too Many Requests Backend / App Nginx limit_req: Leaky-Bucket Rate Limiting
How Nginx rate-limiting zones accept, queue, or reject requests per IP using the leaky-bucket algorithm.

Response Header Hardening

Modern browsers trust response headers as security policy directives. Sending the right headers is one of the highest-leverage, lowest-cost security improvements you can make — a one-line config change that closes entire categories of attack.

## Add to http or server block — applies to all responses add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; ## Content-Security-Policy — tune per app; start restrictive add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'none';" always; ## HSTS: tell browsers to use HTTPS only for 1 year + subdomains ## WARNING: Only add after TLS is fully working. Hard to undo. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
The always flag matters. Without it, Nginx only adds headers to 2xx responses. Error pages (4xx, 5xx) — which browsers also render — skip the headers. With always, every response gets the protection. Use it unconditionally.

Hiding Nginx Version and Fingerprints

By default, Nginx announces its exact version in the Server response header and in all error pages: nginx/1.24.0. Attackers use this to look up known CVEs and craft targeted exploits before you have time to patch. Suppressing version information is not security-through-obscurity — it meaningfully raises the cost of automated scanning.

## In the http block server_tokens off; # Removes version from Server header and error pages # Server header becomes: "nginx" (no version) ## For complete Server header removal, use the headers_more module: ## (nginx-extras package on Debian/Ubuntu, or compile --add-module) # more_set_headers "Server: "; # Blank the header entirely ## Also suppress PHP version if proxying to PHP-FPM fastcgi_hide_header X-Powered-By; ## And hide upstream app signatures proxy_hide_header X-Powered-By; proxy_hide_header X-AspNet-Version; proxy_hide_header X-Generator;
Error page fingerprinting: Even with server_tokens off, the default Nginx error page HTML contains the word "nginx". Use custom error pages to remove this final fingerprint for the highest-security environments.

Basic WAF-Style Filtering in Nginx

A full WAF like ModSecurity (as an Nginx module) or AWS WAF sits in front of Nginx. But before you reach for those tools, Nginx's own map, if, and geo directives can block a significant percentage of automated attack traffic with zero external dependencies.

Block common attack patterns by URI:

## Block well-known scanner and exploit probe paths location ~* (\.php~|wp-login|xmlrpc|\.git|\.env|\.htaccess|/etc/passwd) { deny all; return 444; # Drop connection with no response (Nginx-specific) } ## Block requests with suspicious query strings (SQLi / XSS probes) ## Use map in http block, then check in server block map $query_string $bad_query { default 0; ~*(union.*select|select.*from|drop.*table) 1; ~*(script>|<script|javascript:) 1; ~*(base64_encode|eval\(|exec\() 1; } server { if ($bad_query) { return 400; } ## Block bad user agents (bots, vulnerability scanners) if ($http_user_agent ~* "(nikto|sqlmap|nmap|masscan|zgrab|python-requests/2\.2)") { return 403; } ## Block empty User-Agent (no legitimate browser sends none) if ($http_user_agent = "") { return 444; } }
Avoid if inside location blocks. Nginx's if directive has subtle, dangerous semantics inside location contexts (the "if is evil" problem). Keep if at the server block level, or use map + return patterns which are evaluated in the safer rewrite phase. For complex WAF rules, use ModSecurity or a dedicated edge WAF — do not build a regex labyrinth in Nginx config.

Geo-blocking with the geo module: If your application legitimately serves only specific regions, the built-in ngx_http_geo_module can block entire IP ranges without an external tool. For country-level blocking, MaxMind GeoIP2 integrates via ngx_http_geoip2_module (packaged separately).

Putting It All Together: Hardened Server Block Pattern

Production teams apply these controls at the http block level in a shared include file (/etc/nginx/conf.d/security.conf) so every virtual host inherits them without repetition. Site-specific overrides go in the individual server block.

## /etc/nginx/conf.d/security.conf — inherited by all vhosts server_tokens off; limit_req_zone $binary_remote_addr zone=global:20m rate=30r/s; limit_req_zone $binary_remote_addr zone=auth:5m rate=1r/s; limit_req_status 429; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; map $http_user_agent $is_scanner { default 0; ~*(nikto|sqlmap) 1; "" 1; } ## /etc/nginx/sites-enabled/app.conf — site-specific server { listen 443 ssl; server_name example.com; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; if ($is_scanner) { return 444; } location /api/ { limit_req zone=global burst=50 nodelay; proxy_pass http://app_backend; } location ~* /auth { limit_req zone=auth burst=3 nodelay; proxy_pass http://app_backend; } location ~* (\.env|\.git|/proc/) { deny all; return 444; } }
Test your security headers with curl -I https://yourdomain.com locally, and use securityheaders.com and Mozilla Observatory in CI to gate deployments on a minimum security score. Google and large-scale SaaS teams run these checks as part of every release pipeline.
Previous Lesson Caching & Compression
Next Lesson Tuning & Troubleshooting
Back to Course