Rate Limiting NGINX & Vaadin

My Vaadin application runs behind a NGINX. I want to add rate limiting (on NGINX level) but I’m not sure about the configuration. Because all states, … are handled on server I’m not sure regarding the number of allowed web service calls. Of course, it depends on the build application, but is there any recommendation?

Does anyone have experience to it?

The answer depends on your goal. Licensing requirements or D(D)OS protection… internet or intranet audience… small usage vs power user usage

D(D)OS protection and public internet

My question goes also to the question “how many web service calls are processed in the background” because of Vaadin (sync of client and server)…?

If feasible I would suggest the following:

  • use static pages hosted on your NGINX for public pages
  • use an external security provider so that all Vaadin pages are protected / not accessible without authentication
  • (if you really need to; because it’s not really needed anymore) add a 1000 request per minute limit which should be sufficient for 1-50 users from a single IP depending on their “click rate” and application design

Thanks for the information.

Multiple requests from the same IP? Not a network specialist, but does not any computer has its own?

Some additional information: My spring application also provides REST-endpoints. I want to protect these to.

NAT / cooperate networks with one outgoing IPs / Proxies / Gateways or VPN and many many more things can obfuscate IP addresses

1 Like