Nginx: keep limiting the user for a duration

Question

I'm limiting the requests based on CLIENT-KEY header. The problem is that I need to keep sending the 429 status code for one minute after the header is limited. But with the current configuration, it lets the user to send another request after waiting for few seconds after receiving the first 429 response.

Here is my Nginx configuration:

events {
  worker_connections 1024;
}

http {
    limit_req_status 429;

    limit_req_zone $http_client_key zone=one:10m rate=10r/m;

    upstream api {
        server api:8080;
    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        location / {
            limit_req zone=one burst=10 nodelay;

            proxy_pass http://api;
        }
    }
}

Answer 1

If I correctly understood your needs it should be like this (didn't test):

events {
    worker_connections 1024;
}

http {
    limit_req_status 429;

    limit_req_zone $http_client_key zone=limit_ten_req_per_min:10m rate=10r/m;
    limit_req_zone $http_client_key zone=limit_ban_after_exceeded_limit:10m rate=1r/m;

    upstream api {
        server api:8080;
    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        location / {
            limit_req zone=limit_ten_req_per_min burst=10 nodelay;
            limit_req zone=limit_ban_after_exceeded_limit delay=1;

            proxy_pass http://api;
        }
    }
}

You set first zone (not sure if you actually want to have burst=10 there), then there goes second one which is handles 1 request per minute (for more flexibility you can use this 3rd party nginx module). Also you need delay in second zone to actually restrict further requests.