Optimizing NGINX Rate Limiting for E-commerce API Traffic Spikes

Dear NGINX Community,

I am refining the performance of an NGINX server configuration for a small e-commerce platform, launched in May 2025, to ensure robust handling of API traffic during peak periods. While NGINX has proven reliable as a reverse proxy for my application, I seek to optimize rate limiting to mitigate the impact of traffic spikes while maintaining accessibility for legitimate users. Your expertise in this area would be greatly appreciated.

My setup, running NGINX Open Source 1.29.0 on an Ubuntu 22.04 server, serves as a reverse proxy for a Node.js API hosted on a single VPS, processing approximately 2,000 requests per minute during normal operation. The configuration, based on guidelines from the NGINX documentation, employs the limit_req directive with a shared memory zone to restrict requests to 50 per second per IP for my API endpoints. During recent promotional events, traffic surged to 5,000 requests per minute, resulting in excessive 503 Service Unavailable errors for some users, despite the server’s capacity to handle the load.

To address this, I adjusted the burst parameter to allow temporary spikes and implemented a shared memory zone of 10m, as recommended in the NGINX rate limiting guide. I also verified that the limit_req_status directive correctly logs rejected requests and ensured no upstream server bottlenecks via monitoring tools.

Despite these adjustments, I observe that legitimate users occasionally face delays or rejections during high-traffic periods, suggesting that my rate limiting configuration may require further tuning to balance protection and accessibility. I am particularly interested in strategies to dynamically adjust rate limits or prioritize certain API endpoints, such as checkout processes, to enhance user experience without compromising server stability.

What specific NGINX rate limiting strategies or configurations would you recommend to effectively manage traffic spikes for an e-commerce API while ensuring accessibility for legitimate users?

Thank you for your insights and expertise.

Hello @Gabriela_vale

You’ve read some of our NGINX documentation, and thank you. I presume you’ve looked at this section, specifically? Limiting Access to Proxied HTTP Resources | NGINX Documentation

If I read your note correctly, you’re also looking for ways to keep users from facing delays. Have you looked at setting up load balancing? (HTTP Load Balancing | NGINX Documentation)

Keep us posted on your progerss. We’d love to improve our docs for use cases like yours.

Thanks,
Mike

Dear Mike,

Thank you for your insightful suggestions and for referencing the NGINX documentation on limiting proxied HTTP resources. I’ve applied the limit_req directive as guided and explored your recommendation on load balancing. I set up an upstream block with two Node.js servers using the least connections method on NGINX 1.26.1, reducing API response times from 800ms to 600ms during peak traffic, per access logs.

However, occasional 1-second delays persist for checkout POST requests under high loads. Could you suggest specific limit_req_zone or load balancing tweaks to further optimize performance? I truly appreciate your guidance and eagerness to enhance the documentation.

Sincerely,
@Gabriela_vale | Writer at Calchoras

These seem like significantly different deployments, can you explain the discrepancies?