ZeroData Tools
Tools
JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output. JavaScript Beautifier Reformat dense JavaScript into readable code locally for debugging.

Nginx Rate Limiting Configurator

Generate Nginx rate limiting directives visually. Configure limit_req_zone, burst, nodelay, and custom 429 error pages — 100% browser-based.

Advertisement
Nginx Rate Limiting Configurator
Generate Nginx limit_req_zone and limit_req directives visually.
Rate Limit Configuration
Presets
Rate Calculator
Sustained Rate
10 req/sec
Equivalent
600 req/min
Peak Concurrent Capacity
30 requests (10 sustained + 20 burst)
Generated Nginx Config

How ZeroData protects your privacy

  • No Uploads: Processing happens entirely via client-side JavaScript.
  • No Storage: We do not have a database. We physically cannot save your data.
  • No Tracking: We don't log what you process or track your inputs.
  • Verifiable: Check your DevTools Network tab. You will see 0 outbound requests.

Why Rate Limiting Is Critical for Modern Web Applications

Every web application exposed to the internet faces automated traffic — bots, scrapers, brute-force attacks, and distributed denial-of-service (DDoS) attempts. Without rate limiting, a single malicious client can overwhelm your backend servers, exhaust database connections, and degrade the experience for legitimate users.

Nginx's built-in limit_req module provides an efficient, battle-tested solution. It operates at the reverse proxy layer before requests reach your application, making it the first line of defense. This tool generates the correct configuration so you don't need to memorize the syntax or calculate burst values manually.

Understanding the limit_req_zone Directive

The limit_req_zone directive must be placed in the http block of your nginx.conf. It defines three parameters:

  • Key: What to rate-limit by. $binary_remote_addr (client IP) is the most common. Use $uri to limit per path, or $server_name for per-domain limits.
  • Zone: A shared memory zone (e.g., zone=ratelimit:10m) that stores the request counters. 10MB handles ~80,000 unique IPs.
  • Rate: The allowed request rate (e.g., 10r/s or 30r/m).

Burst and Nodelay: Handling Traffic Spikes

Real-world traffic is bursty — a user might load a page and trigger 15 asset requests simultaneously. Without burst, these requests would be rejected despite being legitimate. The burst parameter creates a queue: excess requests up to the burst size are held and processed at the base rate.

Adding nodelay changes the behavior: burst requests are served immediately instead of being queued. This provides a better user experience while still enforcing the long-term rate limit. Once the burst queue fills, subsequent excess requests are rejected with a 429 status.

Related Nginx Tools

Build your complete Nginx configuration with our other tools. Use the Nginx Config Generator for server blocks, SSL, and reverse proxy setup. The Nginx Rewrite Generator helps create URL rewrite and redirect rules. For API security, pair rate limiting with the CORS Header Generator to control cross-origin access.

How to Use the Nginx Rate Limiting Configurator

  1. Enter a zone name and configure the rate (requests per second or minute).
  2. Set the burst size to control how many excess requests can queue during traffic spikes.
  3. Choose a delay mode: 'nodelay' serves burst requests immediately, 'delay' queues them.
  4. Select the scope key ($binary_remote_addr for per-IP, $uri for per-path limiting).
  5. Optionally enable a custom 429 error page, then copy the generated Nginx config.

Common Use Cases

  • Protecting REST API endpoints from abuse and denial-of-service attacks.
  • Rate limiting login and authentication pages to prevent brute-force password attacks.
  • Throttling webhook endpoints to handle traffic spikes without overwhelming backend services.
  • Limiting static asset requests from aggressive crawlers and scrapers.
  • Implementing per-IP rate limiting for multi-tenant SaaS applications behind Nginx.
Advertisement

Frequently Asked Questions

What is Nginx rate limiting and how does limit_req work?

Nginx rate limiting uses the ngx_http_limit_req_module to control the rate of incoming requests. The limit_req_zone directive defines a shared memory zone that tracks request rates per key (usually client IP). The limit_req directive applies the rate limit to specific locations. When a client exceeds the allowed rate, Nginx returns a 503 (or custom 429) status code.

What is the difference between 'burst' and 'nodelay' in Nginx rate limiting?

The 'burst' parameter defines how many excess requests are allowed to queue beyond the base rate. Without 'nodelay', queued requests are processed at the base rate (with artificial delays). With 'nodelay', all burst requests are served immediately — but once the burst queue fills, new excess requests are rejected. This provides a smoother experience for legitimate traffic spikes.

Should I use requests per second or per minute?

Use per-second (r/s) for API endpoints and high-traffic routes — it provides granular control. Use per-minute (r/m) for strict throttling on sensitive endpoints like login pages or password reset forms where you want very low request rates (e.g., 5r/m). Nginx internally converts both to the same mechanism.

How much shared memory do I need for limit_req_zone?

Nginx stores approximately 128 bytes per key entry for IPv4 addresses ($binary_remote_addr). A 10m (10 megabyte) zone can track about 80,000 unique IP addresses simultaneously. For most applications, 10m is sufficient. Increase to 20m or 50m only if you expect hundreds of thousands of concurrent unique IPs.

How do I return a 429 status instead of 503?

By default, Nginx returns 503 Service Unavailable when rate limits are exceeded. Add 'limit_req_status 429;' to return the correct HTTP 429 Too Many Requests status code. This tool always includes this directive. You can also add a custom error page with an informative message.

Explore more ZeroData utilities

Related Tools

CORS Header Generator

Generate CORS headers for Nginx, Apache, and Express.js with a visual builder. No data uploaded.

Systemd Service Generator

Generate Linux systemd service unit files visually. Configure ExecStart, restart policies, and dependencies — 100% browser-based.

Nginx Config Generator

Generate Nginx server block configurations visually. Reverse proxy, SSL, gzip, and security headers — 100% browser-based.

Nginx Rewrite Rule Generator

Generate Nginx rewrite and redirect rules visually. Configure path matching, regex patterns, flags, and condition checks locally.

© 2026 ZeroData Tools. All rights reserved.