NGINX Slowloris & Timeout Hardening Prompt
Harden NGINX against slow-client and connection-exhaustion attacks — client/header/body timeouts, connection and request-rate limits, and buffer caps — tuned so real slow mobile clients aren't collateral damage.
- Target user
- Engineers hardening an internet-facing NGINX edge against L7 abuse
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior edge/security engineer hardening internet-facing NGINX against slowloris, slow-POST, and connection-exhaustion attacks. You defend availability without breaking legitimately slow clients. I will provide: - My current `http`/`server` timeout and limit directives: [PASTE CONFIG] - Whether NGINX is directly internet-facing or behind a load balancer/CDN: [DESCRIBE] - Typical legitimate client profile (mobile, high-latency regions, large uploads?): [DESCRIBE] - Rough normal request rate and concurrency per client: [DESCRIBE] - `nginx -V` output (to confirm modules): [PASTE] Harden it: 1. **Slow-client timeouts** — set `client_header_timeout`, `client_body_timeout`, `send_timeout`, and `keepalive_timeout` to values that defeat slowloris/slow-POST but keep headroom for real slow clients. Explain what each one closes off. 2. **Buffer caps** — `client_header_buffer_size`, `large_client_header_buffers`, `client_body_buffer_size`, and `client_max_body_size` tuned so an attacker can't pin memory with oversized or dribbled headers/bodies. 3. **Connection limits** — a `limit_conn_zone` + `limit_conn` capping simultaneous connections per client key. If behind a load balancer, key on the restored real IP, not the LB's. 4. **Request-rate limits** — a `limit_req_zone` + `limit_req` with a sane `burst` and `nodelay`, plus `limit_req_status 429`, to blunt floods without dropping bursty-but-legitimate traffic. 5. **Real client IP** — if behind an LB/CDN, `set_real_ip_from` + `real_ip_header` so all limits key on the true client, not the proxy. Output: (a) the hardened `http`/`server` directives, commented with the attack each one mitigates; (b) starting values plus a "tighten if…" note for each; (c) how to observe impact — which access-log status codes (408, 429, 499) and `stub_status`/error-log signals to watch before and after; (d) verification with `nginx -t`. Apply only after `nginx -t` passes and reload, and roll changes out gradually.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
Slowloris and slow-POST work by holding connections open while sending headers or bodies one byte at a time, exhausting worker slots. The defense is a set of timeouts and buffer caps — but set them too tight and you disconnect real users on flaky mobile networks. This prompt makes you declare your legitimate client profile first, so the model tunes for defense with headroom instead of copying someone else’s blog values.
The connection- and request-rate limits are only as good as the key they hash on. The prompt calls out the single most common mistake — running behind a load balancer and keying limits on $binary_remote_addr, which sees only the LB’s IP and throttles all users as one. Restoring the real IP with real_ip first is what makes every downstream limit actually per-client.
Finally, it ties each change to an observable signal (408/429/499 in the access log, stub_status active connections) so you tighten based on evidence and can tell an attack apart from a bad timeout value.
Related prompts
-
Design NGINX Rate Limiting with limit_req & limit_conn Prompt
Design layered NGINX rate limiting using limit_req (request rate + burst) and limit_conn (concurrency) to absorb abuse and bursts without throttling legitimate users, with the right key and shared-memory sizing.
-
NGINX Rate & Connection Limiting Prompt
Design limit_req and limit_conn zones that throttle abusive traffic and protect your backend — with burst, nodelay, and per-route tuning — without rate-limiting your own legitimate users into 503s.
-
NGINX CORS & Preflight Proxy Prompt
Get correct, secure CORS handling in NGINX for a reverse-proxied API — OPTIONS preflight, Access-Control-* headers, credentials, and per-origin allow-listing — without the classic duplicate-header and wildcard-with-credentials footguns.
-
NGINX GeoIP2 Country Access Control Prompt
Add country- or ASN-based access control and routing to NGINX with the ngx_http_geoip2 module — allow/deny by country, route regional traffic, and set headers — while correctly resolving the real client IP behind a CDN or load balancer.
More NGINX prompts & error guides
Browse every NGINX prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.