Why doesn't limiting the number of nginx requests to a specific URL work?

A

Alexander Pashchenko2016-11-11 23:49:59

Nginx

Alexander Pashchenko, 2016-11-11 23:49:59

Trying to guard against homegrown script kiddies trying to brute force passwords.
Previously, I limited requests to the site as a whole and everything worked. And here's something I'm doing wrong or something ... does not want to limit the URL. Although it seems that I do everything according to the advice from the Internet and according to the manuals.
Below is my config (shortened for readability):

limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
  limit_req_zone $binary_remote_addr zone=req_per_ip:10m rate=10r/s;

server {
    listen 80 default_server;
    server_name mydomain;
    root /home/mysite;
    index index.php;

    fastcgi_index index.php;
    include fastcgi_params;       
    fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
    fastcgi_param DOCUMENT_ROOT $realpath_root;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

   location /ajax/login_form {
        limit_req zone=req_per_ip burst=5 nodelay;
        rewrite ^ /index.php last;
        fastcgi_pass backend;
    }

    location ~ \.php$ {
        fastcgi_pass backend;
    }

}

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander Pashchenko, 2016-11-12
@point212

I answer myself. Overdone something.
This is how it will work:

location /json/login_form {
limit_req zone=one burst=5 nodelay;
try_files $uri /index.php?$request_query;
}