Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for NGINX Difficulty: Advanced ClaudeChatGPTCursor

NGINX Slowloris & Timeout Hardening Prompt

Harden NGINX against slow-client and connection-exhaustion attacks — client/header/body timeouts, connection and request-rate limits, and buffer caps — tuned so real slow mobile clients aren't collateral damage.

Target user
Engineers hardening an internet-facing NGINX edge against L7 abuse
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior edge/security engineer hardening internet-facing NGINX against slowloris, slow-POST, and connection-exhaustion attacks. You defend availability without breaking legitimately slow clients.

I will provide:
- My current `http`/`server` timeout and limit directives: [PASTE CONFIG]
- Whether NGINX is directly internet-facing or behind a load balancer/CDN: [DESCRIBE]
- Typical legitimate client profile (mobile, high-latency regions, large uploads?): [DESCRIBE]
- Rough normal request rate and concurrency per client: [DESCRIBE]
- `nginx -V` output (to confirm modules): [PASTE]

Harden it:

1. **Slow-client timeouts** — set `client_header_timeout`, `client_body_timeout`, `send_timeout`, and `keepalive_timeout` to values that defeat slowloris/slow-POST but keep headroom for real slow clients. Explain what each one closes off.

2. **Buffer caps** — `client_header_buffer_size`, `large_client_header_buffers`, `client_body_buffer_size`, and `client_max_body_size` tuned so an attacker can't pin memory with oversized or dribbled headers/bodies.

3. **Connection limits** — a `limit_conn_zone` + `limit_conn` capping simultaneous connections per client key. If behind a load balancer, key on the restored real IP, not the LB's.

4. **Request-rate limits** — a `limit_req_zone` + `limit_req` with a sane `burst` and `nodelay`, plus `limit_req_status 429`, to blunt floods without dropping bursty-but-legitimate traffic.

5. **Real client IP** — if behind an LB/CDN, `set_real_ip_from` + `real_ip_header` so all limits key on the true client, not the proxy.

Output: (a) the hardened `http`/`server` directives, commented with the attack each one mitigates; (b) starting values plus a "tighten if…" note for each; (c) how to observe impact — which access-log status codes (408, 429, 499) and `stub_status`/error-log signals to watch before and after; (d) verification with `nginx -t`. Apply only after `nginx -t` passes and reload, and roll changes out gradually.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

Slowloris and slow-POST work by holding connections open while sending headers or bodies one byte at a time, exhausting worker slots. The defense is a set of timeouts and buffer caps — but set them too tight and you disconnect real users on flaky mobile networks. This prompt makes you declare your legitimate client profile first, so the model tunes for defense with headroom instead of copying someone else’s blog values.

The connection- and request-rate limits are only as good as the key they hash on. The prompt calls out the single most common mistake — running behind a load balancer and keying limits on $binary_remote_addr, which sees only the LB’s IP and throttles all users as one. Restoring the real IP with real_ip first is what makes every downstream limit actually per-client.

Finally, it ties each change to an observable signal (408/429/499 in the access log, stub_status active connections) so you tighten based on evidence and can tell an attack apart from a bad timeout value.

Related prompts

More NGINX prompts & error guides

Browse every NGINX prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.