Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Express-rate-limit vs NGINX in a node server

Tags:

node.js

nginx

express

rate-limiting

I'm currently using express-rate-limit module to block multiple requests from the same ip or logged in user account in my node server, and this is working pretty good against DoS attacks. This server is a small local business that requires only one instance, as it doesn't have too many users and it's computing requirements aren't too intensive.

I've been reading a lot about nginx lately, and many people recommends using it in node servers, but I can't see the major advantages of using it in this kind of application.

How would nginx be better for my application? What can it do that other npm modules can't in terms of security for a single server application?

like image 312
Felipe Micali Avatar asked May 15 '18 10:05

Felipe Micali

People also ask

Is node faster than nginx?

Dedicated reverse proxy tools, like Nginx and HAProxy, typically perform these operations faster than Node. js. Having a web server like Nginx read static content from disk is going to be faster than Node.

What is the difference between Nginx and express?

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Express is a web application framework for Node. js, released as free and open-source software under the MIT License. It is designed for building web applications and APIs.

Can Nginx Do Rate limiting?

NGINX can also buffer any excess requests in a queue and process them promptly. You can enable this behavior in rate-limiting using the burst parameter with the limit_req directive.

Do I need nginx with Express?

You will need Nginx (or Apache) on any scenario. With one server or multiple. Using Express or not. Express is only an application framework to build routes.

1 Answers

Well I am not an NGINX expert but I use NGINX in production currently on my EC2 instance. When it comes to rate limiting there are a couple of options available with respect to express

  • You can use redis as a store, get the IP address of each incoming request and check how many hits they currently have before deciding to service them. This could be a middleware that works on all routes
  • You could use a library like express-rate-limit or rate-limiter-flexible which will handle the redis part for you
  • Now when you take NGINX, it is a web server whose strongest point is not rate limiting to be precise. It still supports rate limiting though if you modify the configuration. HERE is an insight into NGINX rate limiting.
  • Another option you havent considered is called HAProxy which is a load balancer which is considered superior for tasks such as rate limiting. You can read about HERE

Lets talk about the second part of your question

  1. Rate limiting inside an application is a bad idea. It does not belong to the application as such. It is not a part of business logic. Also, It does not work well with clustered mode (more than one cores running express at the same time) unless you tweak it for supporting cluster.
  2. Rate limiting using NGINX configuration just needs 2 extra lines as shown in the earlier link I posted. If suddenly you want to add an extra route or exempt some route from rate limiting NGINX can easily do that.
  3. If you want to exempt your cloudfront addresses or CDN server addresses from being rate limited, you can add a whitelist of IPs to NGINX conf so that it will exempt them. Doing this in the application will be a real pain as you would have to git commit, redeploy etc. THIS answer covers how to exempt addresses
like image 161
PirateApp Avatar answered Oct 16 '22 08:10

PirateApp
Sign in to Comment

Related questions

ES6 methods get a null "this" and class variables are inaccessible [duplicate]
Elliptic curve threshold cryptography in node
CircleCI not caching my globally installed node module?
how to maintain persistent session in node js when server restarts?
Query Instagram posts by hashtag and time range
"node -v" shows wrong version after "brew upgrade node"
How do I see the release notes for an npm package before I upgrade?
Nunjucks nl2br does not exist?
Dynamic html form generation in MEAN stack
How to use promise to avoid callback hell? [duplicate]
How to scale a slack bot to 1000's of teams
Knex primary key auto increment
Using QLPreviewPanel with Electron
webpack react process.env always empty (windows 10)
List all mocha tests without executing them
CORS doesn't work despite headers set
writeFile does not create file
Docker + Webpack (Dev Server) + Yarnpkg incomplete builds
Module not found: Error: Can't resolve 'fs' Using Webpack
Compiling node-sass takes 10 minutes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!