/ Register

Join the community today
Become a Member

Nginx load custom php.conf in specific folder?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Oxide, Dec 11, 2015.

Previous Thread Next Thread
Loading...
  1. Dec 11, 2015 #1
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    For some reason, this is not working:

    location ^~ /ajax/ {
    return 444;
    include /usr/local/nginx/conf/php-safe.conf;
    }


    It only works when accessing folder directly, but not on PHP Files. Any ideas why?
     
  2. Dec 11, 2015 #2
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    return 444 tells nginx not to respond at all when access to /ajax/*
     
  3. Dec 11, 2015 #3
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    i know, however its not using that rule on php files
     
  4. Dec 11, 2015 #4
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    /usr/local/nginx/conf/php-safe.conf's *.php location match needs to be off /ajax and also include return 444
     
  5. Dec 11, 2015 #5
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    how could i do this? basically i am using 444 to tell whether the php-safe is going thru, however it's not.
    i basically want custom php.conf for specific directory, so i can disable limit requests as a example
     
  6. Dec 11, 2015 #6
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    just edit's php-safe.conf's location match for .php extension requests

    for example 1st line of below code

    Code:
    location ~ ^/ajax/.*\.php$ {
        return 444;
}
    default php.conf location match is more general
    Code:
    location ~ \.php$ {
     
  7. Dec 11, 2015 #7
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    i added that rule before, no luck.. same issue, , ignores it
     
  8. Dec 11, 2015 #8
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    where's the limit request it, which part of vhost ?
     
  9. Dec 11, 2015 #9
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    if you're rate limiting server wide in php.conf default include file or in server{} context without specific location context specified and want to use custom php.conf include or to generally to exclude a directory from rate limiting, you will need to use nginx mapping to map a whitelist $request_uri list of directories

    example in nginx http{} server context
    Code:
    map $request_uri $search_ratelimit {
        default           $binary_remote_addr;
        "~/search/"       "";
        "~/search/subdir" "";
}

limit_req_zone $search_ratelimit zone=one:10m rate=1r/s;
    and if i rate limit php.conf include
    Code:
    location ~ \.php$ {

limit_req zone=one burst=5;
    but want to exclude /search and /search/subdir php files and directories

    then siege bench against server wide matched php i.e. localhost/geoip.php you can see rate limited to 1r/s
    Code:
    siege -b -c2 -r5 localhost/geoip.php
** SIEGE 3.1.0
** Preparing 2 concurrent users for battle.
The server is now under siege...
HTTP/1.1 200   0.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   0.97 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   1.97 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
done.

Transactions:                     10 hits
Availability:                 100.00 %
Elapsed time:                   8.98 secs
Data transferred:               0.00 MB
Response time:                  1.69 secs
Transaction rate:               1.11 trans/sec
Throughput:                     0.00 MB/sec
Concurrency:                    1.89
Successful transactions:          10
Failed transactions:               0
Longest transaction:            2.00
Shortest transaction:           0.00
    however, /search/index.php is excluded from rate limit
    Code:
    siege -b -c2 -r10 localhost/search/index.php 
** SIEGE 3.1.0
** Preparing 2 concurrent users for battle.
The server is now under siege...
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.01 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
done.

Transactions:                     20 hits
Availability:                 100.00 %
Elapsed time:                   0.01 secs
Data transferred:               0.00 MB
Response time:                  0.00 secs
Transaction rate:            2000.00 trans/sec
Throughput:                     0.05 MB/sec
Concurrency:                    1.00
Successful transactions:          20
Failed transactions:               0
Longest transaction:            0.01
Shortest transaction:           0.00
     
  10. Dec 11, 2015 #10
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    thanks, i will try this now and let you know.. mapping must be better
     
  11. Dec 11, 2015 #11
    Oxide

    Oxide Active Member

    509
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    5:36 AM
    Basically:

    map $request_uri $search_ratelimit {
    default $binary_remote_addr;
    "~/search/" "";
    "~/search/subdir" "";
    }

    Would be wide, is there no way for example per virtual host to map? I basically request limit on all sites, but all sites have different ajax file names.

    Request limiting is pretty hard, without hurting ajax requests. Thinking of any ways to check if its an ajax request, perhaps with lua.. hmm
     
  12. Dec 11, 2015 #12
    eva2000

    eva2000 Administrator Staff Member

    35,061
    7,740
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,935
    Local Time:
    5:36 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    yes that would be server wide, but simple to fix by simply adding a 2nd nginx mapping for $http_host$uri to manage per vhost domain/urls

    exclude domain1.com/ajax, domain2.com/ajax, domain3.com/ajax from rate limiting
    Code:
    map $http_host$uri $hosturi_rl {
    default                1;
    ~^domain1.com/ajax     0;
    ~^domain2.com/ajax     0;
    ~^domain3.com/ajax     0;
}
    then instead of using something like
    Code:
    location ~ \.php$ {

limit_req zone=one burst=5;
    use

    Code:
    location ~ \.php$ {

if ($hosturi_rl = 1)
    limit_req zone=one burst=5;
}
     
Previous Thread Next Thread
Loading...
..

.