Configuring Rate Limiting

The benefits application has a simple, single-configuration Rate Limit that acts per-IP to limit the number of consecutive requests in a given time period, via nginx limit_req_zone and limit_req directives.

The configured rate limit is 12 requests/minute, or 1 request/5 seconds:

limit_req_zone $limit zone=rate_limit:10m rate=12r/m;

HTTP method selection

An NGINX map variable lists HTTP methods that will be rate limited:

map $request_method $limit {
    default         "";
    POST            $binary_remote_addr;
}

The default means don’t apply a rate limit.

To add a new method, add a new line:

map $request_method $limit {
    default         "";
    OPTIONS         $binary_remote_addr;
    POST            $binary_remote_addr;
}

App path selection

The limit_req is applied to an NGINX location block with a case-insensitive regex to match paths:

location ~* ^/(eligibility/confirm)$ {
    limit_req zone=rate_limit;
    # config...
}

To add a new path, add a regex OR | with the new path (omitting the leading slash):

location ~* ^/(eligibility/confirm|new/path)$ {
    limit_req zone=rate_limit;
    # config...
}