Nginx Rate Limiting and Plugins (Including Oxygen)

3 min read

Introduction

This article was originally focused on the Oxygen Builder, which is our most common support request when rate-limiting occurs. It can happen with other plugins to though, and while the example below is from Oxygen, the same steps and advice apply to any plugin that hits rate limiting issues.

Known plugins that may trigger rate limiting include: –

  • Oxygen
  • Exports and Reports

Checking the Nginx Error Log

Oxygen tends to hammer the WordPress backend, and sometimes gets tripped up on our rate limiting. Specifically if you’re trying to sign shortcodes, you may see the following in your Nginx Error Log:

2020/04/25 10:50:52 [error] 30125#30125: *710261 limiting requests, excess: 6.364
by zone "wp", client: someiphere, server: gridpanedemo.com, request: "POST /wp-admin/admin-ajax.php
HTTP/1.1", host: "gridpanedemo.com", referrer: "https://gridpanedemo.com/wp-admin/admin.php?page=oxygen_vsb_sign_shortcodes"

The solution is to increase our rate limit. Below is how to do this both for individual websites or server-wide for all your websites on your server. What you choose will depend on your requirements, for example, if you’re using Oxygen on each of your websites, you may wish to implement this server-wide and plan on leaving them high.

We’d recommend adjusting things for just the one specific website and then turn them back down once you’re done.

When checking your Nginx Error Log, you’re looking to determine how many requests per second are taking place so that you can adjust the values below accordingly.

Zone WP

Zone WP defaults to a 6 request burst queue when the rate limit of 3 requests per second has been exceeded. This zone protects the wp-admin and specifically the admin-ajax endpoint. Certain plugins (such as Oxygen) that hit this endpoint at a rapid rate may need this increase temporarily to handle the rate. We recommend lowering the burst rate again once the process has been completed.

Site-Specific Zone WP Rate Adjustment

This is site-specific and allows for a nodelay burst to be set, so if you reach your limit (default is 6) and set the burst to 30, then it would queue up another 30 requests and serve them immediately before dropping requests.

This per-site burst queue is set in addition to the server-wide request per second rate limit (detailed below)

Directive: limit_req
Config location: /etc/nginx/common/{site.url}-wpcommon.conf
Context: server
Default value: 6
Accepted values: integer, fqdn

gp stack nginx limits -site-zone-wp-burst {queue.size} {site.url}

Example:

gp stack nginx limits -site-zone-wp-burst 30 gridpane.com

Server-Wide Zone WP Rate Adjustment

With this solution, you are adjusting the total req per second allowed. We set this as standard for 10MB space for keys and 3 requests per second. With each site allowing a burst of 6, that means your sites will serve 9 requests per second before dropping requests.

In addition to this request per second limit, each site has a burst queue (detailed above).

Directive: limit_req_zone
Config location: /etc/nginx/common/limits.conf
Context: http
Unit: MB (key store size) and Rate (requests/s)
Default value: 10 3
Accepted values: integers

gp stack nginx limits -req-zone-wp {store.size.mb} {req.per.sec}

Example:

gp stack nginx limits -req-zone-wp 15 10

Check Nginx for Errors and Reload

Once finished setting either your site adjust or server-side adjustment above, be sure to test the Nginx config for errors and then reload.

Test the configuration with this command:

nginx -t

If no errors are present, reload the configuration with this command:

gp ngx reload

Recheck Nginx Error Log and adjust as needed

Once these have been set, try again and if there are any issues recheck your Nginx error log. You may need to further increase.

Reset Limits back to lower threshold when complete.

We recommend users to rest their limits back to a lower threshold once they have finished signing their shortcodes. Rate limiting is an important part of server hardening and helps maintain stability across sites.