This guide explains how to implement and verify Nginx rate limiting in Plesk

How Nginx rate limiting works

Nginx rate limiting has two parts:

Global definition (required)

Defines how requests are tracked in memory.

Enforcement rule

Applies the limit to traffic.

Step 1 - Create the global rate limit zone

Create a file included in the Nginx http {} block, for example:

/etc/nginx/conf.d/zone_limit.conf

Add:

limit_req_zone $binary_remote_addr zone=zone_limit:10m rate=10r/s;

What this does

• Tracks requests per IP address
• Uses 10MB shared memory
• Allows 10 requests per second per IP
• Prepares Nginx for rate limiting (does NOT enforce yet)

Step 2 - Apply rate limiting in Plesk (domain level)

Go to:

Plesk → Domains → your domain → Apache & nginx Settings

In “Additional nginx directives”, add:

location = /index.php {
	limit_req zone=zone_limit burst=10 nodelay;
}

What this does

• Applies rate limiting to /index.php
• Controls ALL traffic routed through index.php
• Allows short bursts (burst=10)
• Immediately enforces limits (nodelay)

Reload Nginx

After changes:

nginx -t

If successful:

systemctl reload nginx

How to verify rate limiting

Check access logs

/var/log/nginx/access.log

Search:

grep "index.php" /var/log/nginx/access.log

Check error logs (important)

/var/log/nginx/error.log

Look for:

limiting requests, excess: ...

Enable proper logging

limit_req_log_level notice; limit_req_status 429;

Stress test

ab -n 200 -c 20 "https://yourdomain.com/index.php"

Expected behavior

Normal user → OK
Burst traffic → temporarily allowed
Bots → throttled or blocked
Heavy scraping → rate-limited (429/503)

This setup reduces bot scraping, protects search endpoints, and improves server stability.