Make Nginx server respond slowly
Nginx directive limit_rate
lets you specify the speed you'd like to rate limit responses, e.g.
location / {
if ($slow) {
limit_rate 4k;
}
}
Nginx documentation is here. (from the documentation you'll see that your backend may make the decision and request Nginx to rate limit the client)
How you get this $slow
variable set depends on your configuration. The easiest would be to set it via geo
mapping:
geo $slow {
default 0;
1.2.3.0/24 1;
}
"Geo" mapping is a dependency of $slow
based on the client IP address. It's 0 by default and 1 if a client IP address is in 1.2.3.0/24
subnet. See Nginx documentation on "geo" here
Using "fail2ban" is a reasonable evolution of this whole solution. You may use "fail2ban" to automatically detect unusual activity and collect IPs for Nginx and then reload Nginx so that it re-reads lists of IP addresses that need to be slowed down and/or blocked.
If you want to trick the offending user into thinking that he is still going unnoticed by you, you can use nginx's request limit module (http://wiki.nginx.org/HttpLimitReqModule).
First define a request limit zone:
http {
limit_req_zone $binary_remote_addr zone=spammers:1m rate=30r/m;
}
This zone will use the offender's IP address in order to identify and limit requests into 30 per minute (1 / 2 sec). Please note that the zone's memory size is set to 1 MiB, which means it can handle 1 MiB / 64 bytes per request bucket = 16384 spammer addresses (which is maybe an overkill for our case). Adjust respectively, if you must.
Next, we define the directive that will actually route the offender through the limiter using an (evil, unfortunately) if case:
location / {
if ($remote_addr = 1.2.3.4) {
limit_req zone=spammer burst=5;
}
}
You can watch the fruits of your labor in the server's access log.
Note that this hack does not scale well, since you'll have to update the configuration file each time the offender changes IP (let alone include more IPs in there which means more if cases), but it works.
Best way to deal with this spammer is to proper install and configure fail2ban. Fail2ban will search patterns in log files and block all ips that spam your site. Ofcourse you must configure it to search proper pattern.