Want more timely Centmin Mod News Updates?
Become a Member

Nginx load custom php.conf in specific folder?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Oxide, Dec 11, 2015.

  1. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    For some reason, this is not working:

    location ^~ /ajax/ {
    return 444;
    include /usr/local/nginx/conf/php-safe.conf;
    }


    It only works when accessing folder directly, but not on PHP Files. Any ideas why?
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    return 444 tells nginx not to respond at all when access to /ajax/*
     
  3. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    i know, however its not using that rule on php files
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    /usr/local/nginx/conf/php-safe.conf's *.php location match needs to be off /ajax and also include return 444
     
  5. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    how could i do this? basically i am using 444 to tell whether the php-safe is going thru, however it's not.
    i basically want custom php.conf for specific directory, so i can disable limit requests as a example
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    just edit's php-safe.conf's location match for .php extension requests

    for example 1st line of below code

    Code:
    location ~ ^/ajax/.*\.php$ {
            return 444;
    }
    default php.conf location match is more general
    Code:
    location ~ \.php$ {
     
  7. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    i added that rule before, no luck.. same issue, , ignores it
     
  8. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    where's the limit request it, which part of vhost ?
     
  9. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    if you're rate limiting server wide in php.conf default include file or in server{} context without specific location context specified and want to use custom php.conf include or to generally to exclude a directory from rate limiting, you will need to use nginx mapping to map a whitelist $request_uri list of directories

    example in nginx http{} server context
    Code:
    map $request_uri $search_ratelimit {
            default           $binary_remote_addr;
            "~/search/"       "";
            "~/search/subdir" "";
    }
    
    limit_req_zone $search_ratelimit zone=one:10m rate=1r/s;
    and if i rate limit php.conf include
    Code:
    location ~ \.php$ {
    
    limit_req zone=one burst=5;
    but want to exclude /search and /search/subdir php files and directories

    then siege bench against server wide matched php i.e. localhost/geoip.php you can see rate limited to 1r/s
    Code:
    siege -b -c2 -r5 localhost/geoip.php
    ** SIEGE 3.1.0
    ** Preparing 2 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 200   0.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   0.97 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   1.97 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    HTTP/1.1 200   2.00 secs:     123 bytes ==> GET  /geoip.php
    done.
    
    Transactions:                     10 hits
    Availability:                 100.00 %
    Elapsed time:                   8.98 secs
    Data transferred:               0.00 MB
    Response time:                  1.69 secs
    Transaction rate:               1.11 trans/sec
    Throughput:                     0.00 MB/sec
    Concurrency:                    1.89
    Successful transactions:          10
    Failed transactions:               0
    Longest transaction:            2.00
    Shortest transaction:           0.00
    however, /search/index.php is excluded from rate limit
    Code:
    siege -b -c2 -r10 localhost/search/index.php 
    ** SIEGE 3.1.0
    ** Preparing 2 concurrent users for battle.
    The server is now under siege...
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.01 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    HTTP/1.1 200   0.00 secs:      25 bytes ==> GET  /search/index.php
    done.
    
    Transactions:                     20 hits
    Availability:                 100.00 %
    Elapsed time:                   0.01 secs
    Data transferred:               0.00 MB
    Response time:                  0.00 secs
    Transaction rate:            2000.00 trans/sec
    Throughput:                     0.05 MB/sec
    Concurrency:                    1.00
    Successful transactions:          20
    Failed transactions:               0
    Longest transaction:            0.01
    Shortest transaction:           0.00
    
     
  10. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    thanks, i will try this now and let you know.. mapping must be better
     
  11. Oxide

    Oxide Active Member

    502
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    11:04 PM
    Basically:

    map $request_uri $search_ratelimit {
    default $binary_remote_addr;
    "~/search/" "";
    "~/search/subdir" "";
    }

    Would be wide, is there no way for example per virtual host to map? I basically request limit on all sites, but all sites have different ajax file names.

    Request limiting is pretty hard, without hurting ajax requests. Thinking of any ways to check if its an ajax request, perhaps with lua.. hmm
     
  12. eva2000

    eva2000 Administrator Staff Member

    28,972
    6,575
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,759
    Local Time:
    11:04 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes that would be server wide, but simple to fix by simply adding a 2nd nginx mapping for $http_host$uri to manage per vhost domain/urls

    exclude domain1.com/ajax, domain2.com/ajax, domain3.com/ajax from rate limiting
    Code:
    map $http_host$uri $hosturi_rl {
        default                1;
        ~^domain1.com/ajax     0;
        ~^domain2.com/ajax     0;
        ~^domain3.com/ajax     0;
    }
    
    then instead of using something like
    Code:
    location ~ \.php$ {
    
    limit_req zone=one burst=5;
    
    use

    Code:
    location ~ \.php$ {
    
    if ($hosturi_rl = 1)
        limit_req zone=one burst=5;
    }