Join the community today
Register Now

Sysadmin Nginx 100% use Cpu

Discussion in 'System Administration' started by upgrade81, Apr 5, 2018.

  1. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    Hi guys, I have for a few days for no apparent reason nginx working 100% or less.

    The only change I made was to increase the worker processes to 4 the correct number of my cores.

    However, even bringing it to 2 as it was in the original does not change anything.

    On this VM, it turns a Xenforo and a Wordpress,

    How can I investigate thoroughly what causes these spikes?
    Log errors, php-error, acesss-log do not report anything abnormal.

    The traffic is constant and does not justify the 100% use of the nginx processor.

    grabilla.126920.png
     
  2. Revenge

    Revenge Active Member

    429
    87
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +319
    Local Time:
    10:06 PM
    1.9.x
    10.1.x
    You can start by installing ngxtop to check how many requests per second your nginx is handling.

    Code:
    yum install python-pip
    pip install ngxtop
     
    Last edited: Apr 6, 2018
  3. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    I do not think this is the problem.
    Just done now check.
     
  4. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    ok this is today's historian

    grabilla.134080.png
    this in real time

    grabilla.123188.png
    Keep going 100% I have to restart nginx every 10 minutes.
     
  5. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    now also the other virtual machine I'm doing the same.

    Code (Text):
    NGINX_PAGESPEED=y
    NGINX_ZLIBCUSTOM='y'
    ORESTY_LUANGINX=n
    NGINX_XSLT='n'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_XSLT='n'
    NGXDYNAMIC_IMAGEFILTER='y'
    NGXDYNAMIC_GEOIP='n'
    NGXDYNAMIC_STREAM='y'
    NGXDYNAMIC_HEADERSMORE='y'
    NGXDYNAMIC_SETMISC='y'
    NGXDYNAMIC_ECHO='y'
    NGXDYNAMIC_SRCCACHE='y'
    NGXDYNAMIC_MEMC='y'
    NGXDYNAMIC_REDISTWO='y'
    NGXDYNAMIC_NGXPAGESPEED='y'
    NGXDYNAMIC_BROTLI='y'
    PHPMSSQL='y'
    PHP_PGO='y'
    PHP_PGO_CENTOSSIX='y'
    NGINX_DEVTOOLSETGCC='y'
    GENERAL_DEVTOOLSETGCC='y'
    CLANG='n'
    LIBRESSL_SWITCH='n'
    NGX_GSPLITDWARF='y'
    PHP_GSPLITDWARF='y'
    NGX_LDGOLD='y'
    
    
    # -----set = y to put nginx, php and mariadb major version updates into 503
    # maintenance mode https://community.centminmod.com/posts/26485/
    NGINX_UPDATEMAINTENANCE='y'
    PHP_UPDATEMAINTENANCE='y'
    MARIADB_UPDATEMAINTENANCE='y'
    
    #------nginx
    LETSENCRYPT_DETECT='y'
    NGINX_DYNAMICTLS='n'
    CLOUDFLARE_ZLIB='y'
    NGINX_HPACK='y'
    
    #------openssl nginx related
    CLOUDFLARE_PATCHSSL='y'    # set 'y' to implement Cloudflare's chacha20 patch https://github.com/cloudflare/sslconfig
    CLOUDFLARE_ZLIB='y'        # use Cloudflare optimised zlib fork https://blog.cloudflare.com/cloudflare-fights-cancer/
    CLOUDFLARE_ZLIBPHP='y'     # use Cloudflare optimised zlib fork for PHP-FPM zlib instead of system zlib
    OPENSSL_VERSION='1.1.0g'
    OPENSSLEQUALCIPHER_PATCH='n' # https://community.centminmod.com/posts/57916/
    
    
    #PHP Custom
    PHP_VERSION='7.1.15'
    GCCINTEL_PHP='y'
    PHPGEOIP_ALWAYS='n'
    
     
  6. Revenge

    Revenge Active Member

    429
    87
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +319
    Local Time:
    10:06 PM
    1.9.x
    10.1.x
    Unless you have a really weak cpu, 10 req/s can't cause that. Something must be messing with nginx.

    I have seen something similar some months ago, and it was a specific page. When someone entered that page, nginx would simple start using all resources. In this case it was a Topic, and we just deleted that topic. We never found the reason why it was happening.
     
    • Like Like x 1
  7. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    Here the second VM where I'm trying Amplify. It is clearly seen when Nginx has gone down.
     

    Attached Files:

  8. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    And how did you find it?
     
  9. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    This with around 760 online users in real time, Google Analytics source.

    Everything is ok, but it is as if every hour nginx crashes something.

    grabilla.136600.png

    I can not find the cause :(
     
  10. Revenge

    Revenge Active Member

    429
    87
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +319
    Local Time:
    10:06 PM
    1.9.x
    10.1.x
    Trial and error after many hours.

    In the image you posted of amplify, you have about 20 req/s and then you have 400 current requests. If you only receive 20 request each seconds, how the requests at the same time goes to 400? The only reason i see is that each request is taking a long time to complete.
     
  11. eva2000

    eva2000 Administrator Staff Member

    37,214
    8,127
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,513
    Local Time:
    8:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    ngxtop is a good tool for starters but as per Nginx - ngxtop real time metrics for Nginx, Centmin Mod by default buffers a certain amount of access log entries in memory (256KB) before flushing and writing to disk for performance reasons. This means you may not get live request entries in your access logs until you do an nginx restart or reload or until that memory buffer is full (256KB) or flush time is reached (5 minutes). Which means if you're reading ngxtop live stats with buffered access log, that 10 req/s is really higher as you're reading the request rate with buffered access log.

    You can temporarily remove buffered access logging to see the real rate but know that it adds more load to nginx without buffered access logging. So remove the buffer and flush directives from your vhost buffer=256k flush=5m or setup commented out original line and add a modified line so you can switch between the 2 more easily just by commenting/uncommenting them out like this
    Code (Text):
    #access_log /home/nginx/domains/domain.com/log/access.log combined buffer=256k flush=5m;
    access_log /home/nginx/domains/domain.com/log/access.log combined;
    

    Or better yet just do an nginx reload or restart to flush the access logs to disk.

    Also added more ngxtop filtering examples at Nginx - ngxtop real time metrics for Nginx

    In below examples change domain=yourdomain.com to your domain name.

    i.e. print top 10 requests where status code = 200
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow top request -i 'status == 200' -n10
    


    i.e. print top 10 requests where status code = 200 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 200' -n10
    


    i.e. print only today's top 10 where status code = 200 using grep filter on grep "$(date +"%d/%b/%Y")" i.e. 06/Apr/2018
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep "$(date +"%d/%b/%Y")" | ngxtop --no-follow top request -i 'status == 200' -n10
    


    i.e. print top 10 requests where status code = 444 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 444' -n10
    

    i.e. print top 10 requests where status code = 503 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 503' -n10
    

    i.e. print top 10 requests where status code = 500 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 500' -n10
    


    i.e. print top 10 user agent where status code = 200
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow top http_user_agent -i 'status == 200' -n10
    


    i.e. print top 10 user agent where status code = 200 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 200' -n10
    

    i.e. print top 10 user agent where status code = 444 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 444' -n10
    

    i.e. print top 10 user agent where status code = 503 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 503' -n10
    

    i.e. print top 10 user agent where status code = 500 for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 500' -n10
    


    i.e. print top 10 HTTP status codes
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow top status -n10
    


    i.e. print top 10 HTTP status codes for April 2018 only (Apr/2018)
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top status -n10
    


    Average body bytes sent of 200 responses of requested path begin with '/wp-content'
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow avg bytes_sent --filter 'status == 200 and request_path.startswith("/wp-content")'
    

    example
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow avg bytes_sent --filter 'status == 200 and request_path.startswith("/wp-content")'
    running for 1 seconds, 439 records processed: 757.45 req/sec
    
    average ['bytes_sent']
    |   avg(bytes_sent) |
    |-------------------|
    |         60281.207 |
    

    Average body bytes sent of 200 responses of requested path begin with '/wp-content' for April 2018 only
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow avg bytes_sent --filter 'status == 200 and request_path.startswith("/wp-content")'
    

    example
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow avg bytes_sent --filter 'status == 200 and request_path.startswith("/wp-content")'
    running for 0 seconds, 176 records processed: 872.65 req/sec
    
    average ['bytes_sent']
    |   avg(bytes_sent) |
    |-------------------|
    |         52312.716 |
    


    Top 10 requests with highest total bytes sent
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | ngxtop --no-follow --order-by 'avg(bytes_sent) * count'
    

    Top 10 requests with highest total bytes sent for April 2018 only
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow --order-by 'avg(bytes_sent) * count'
    


    As to cpu loads make sure you're checking all logs. In SSH2 telnet you can use tail command to view the last X number of lines in the file.

    For example for viewing last 10 lines in the file for:

    For Nginx access and error logs:
    Code:
      tail -10 /usr/local/nginx/logs/access.log
      tail -10 /usr/local/nginx/logs/error.log
    
    For specific domainname.com access and error log:
    Code:
      tail -10 /home/nginx/domains/domainname.com/log/access.log
      tail -10 /home/nginx/domains/domainname.com/log/error.log
    
    For other system error logs located at /var/log:

    list /var/log files in ascending time order so the most recently modified files are at the bottom
    Code:
      ls -lhrt /var/log
    
    Code:
    total 2.7M
    -rw------- 1 root  root    0 Aug 29 15:33 tallylog
    -rw------- 1 root  root    0 Aug 29 15:33 spooler
    drwx------ 3 root  root 4.0K Aug 29 15:35 samba
    drwxr-xr-x 2 root  root 4.0K Aug 29 15:35 mail
    -rw-r--r-- 1 root  500     0 Oct  8 18:13 dmesg.old
    -rw------- 1 root  500     0 Oct  8 18:13 boot.log
    -rw-r--r-- 1 root  500     0 Oct  8 18:14 dmesg
    drwx------ 2 root  root 4.0K Oct  8 18:14 httpd
    drwxr-xr-x 2 root  root 4.0K Oct  8 19:08 php-fpm
    -rw-rw---- 1 mysql root 2.3K Oct  9 12:38 mysqld.log
    -rw------- 1 root  root 9.2K Oct 26 10:48 yum.log
    -rw------- 1 root  utmp  94K Nov  7 22:59 btmp
    drwxr-xr-x 2 root  root 4.0K Nov  8 00:00 sa
    -rw------- 1 root  root 269K Nov  8 21:39 messages
    -rw------- 1 root  root 110K Nov  8 23:08 secure
    -rw-rw-r-- 1 root  utmp  43K Nov  8 23:08 wtmp
    -rw-r--r-- 1 root  root 144K Nov  8 23:08 lastlog
    -rw------- 1 root  root  69K Nov  8 23:08 lfd.log
    -rw------- 1 root  root 332K Nov  8 23:08 maillog
    -rw------- 1 root  500  1.6M Nov  8 23:10 cron
    
    For PHP-FPM error log:
    Code:
      tail -10 /var/log/php-fpm/www-error.log
    
    and/or
    Code:
      /var/log/php-fpm/www-php.error.log
    
    For MySQL / MariaDB error log:
    Code:
      tail -10 /var/log/mysqld.log
    
    For CSF firewall LFD log:
    Code:
      tail -10 /var/log/lfd.log
    
    For Mail log:
    Code:
      tail -10 /var/log/maillog
    
    For Cron job logs:
    Code:
      tail -10 /var/log/cron
    
    However, there's many linux tools and scripts that can help you figure out what was causing the load issues and when.

    Tools and commands you will want to read up on and learn for basic system admin tasks and troubleshooting.
     
    • Agree Agree x 1
  12. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    Here is the result of the analysis after eliminating the flush and buffer

    this the vm with Wordpress + Redis Cache

    Today the situation seems to have improved.

    But next time?
    Could it have been the usual flood attack?


    Code (Text):
     zcat -f /home/nginx/domains/xxxxx.it/log/access.log* | ngxtop --no-follow --order-by 'avg(bytes_sent) * count'
    running for 213 seconds, 3348394 records processed: 15702.49 req/sec
    
    Summary:
    |   count |   avg_bytes_sent |     2xx |    3xx |    4xx |   5xx |
    |---------+------------------+---------+--------+--------+-------|
    | 3348394 |        37726.623 | 3089816 | 100538 | 157453 |   385 |
    
    Detailed:
    | request_path                                                                    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |---------------------------------------------------------------------------------+---------+------------------+-------+-------+-------+-------|
    | /wp-content/uploads/2018/03/180330_Alfa_Romeo_2017_Stelvio_Quadrifoglio.jpg     |   24796 |       332399.470 | 24759 |    16 |    21 |     0 |
    | /wp-load.php                                                                    |    2047 |      3192693.137 |  2047 |     0 |     0 |     0 |
    | /wp-content/uploads/2018/03/fca.jpg                                             |   16833 |       226641.179 | 16821 |     9 |     3 |     0 |
    | /wp-content/uploads/2018/03/dipendenti-maserati-grugliasco_2018.jpg             |   19048 |       168596.250 | 19022 |    11 |    15 |     0 |
    | /wp-content/uploads/2018/03/Fiat-Chrysler-Automobiles-addio-Serbia-1.jpg        |   26968 |        80215.234 | 26889 |    66 |    13 |     0 |
    | /wp-content/cache/css/aggregati_bb72063050502829c1e5d64a1ac993be.css            |   35592 |        55592.893 | 35529 |    52 |    11 |     0 |
    | /wp-content/uploads/2018/04/Alfa-Romeo-Giulia-Quadrifoglio-USA-43-1.jpg         |   13542 |       128797.347 | 13517 |     6 |    19 |     0 |
    | /wp-content/uploads/2018/03/Alfa-Romeo-Stelvio-Nero-Edizione-5.jpg              |   28764 |        60075.638 | 28650 |    93 |    21 |     0 |
    | /wp-content/uploads/2017/12/Alfa-Romeo-Stelvio-Quadrifoglio-1.jpg               |    9912 |       168755.997 |  9890 |    22 |     0 |     0 |
    | /wp-content/uploads/2018/03/Fiat-Chrysler-Automobiles-Goiana-pieno-regime-1.jpg |   13306 |       119250.662 | 13292 |     9 |     5 |     0 |


    Code (Text):
    zcat -f /home/nginx/domains/xxxx.it/log/access.log* | ngxtop --no-follow avg bytes_sent --filter 'status == 200 and request_path.startswith("/wp-content")'
    running for 267 seconds, 2376556 records processed: 8909.15 req/sec
    
    average ['bytes_sent']
    |   avg(bytes_sent) |
    |-------------------|
    |         45067.186 |
    



    Xenforo VM

    Code (Text):
     zcat -f /home/nginx/domains/forum.xxxxxx.it/log/access.log | ngxtop --no-follow top request -i 'status == 200' -n10
    running for 13 seconds, 4722 records processed: 352.16 req/sec
    
    top request
    | request                                                                    |   count |
    |----------------------------------------------------------------------------+---------|
    | GET /css.php?css=xenforo,form,public&style=4&dir=LTR&d=1522978158 HTTP/2.0 |     125 |
    | GET /css.php?css=EXTRA&style=4&dir=LTR&d=1522978158 HTTP/2.0               |     123 |
    | GET /css.php?css=uix,uix_style,corp&style=4&dir=LTR&d=1522978158 HTTP/2.0  |     123 |
    | GET /images/footer/googleplay.png HTTP/2.0                                 |     114 |
    | GET /images/footer/appstore.png HTTP/2.0                                   |     113 |
    | GET /images/footer/newsletter.png HTTP/2.0                                 |     113 |
    | GET /styles/corp/logo_forum.png HTTP/2.0                     |     113 |
    | POST /mobiquo/mobiquo.php HTTP/2.0                                         |     109 |
    | GET /styles/corp/xenforo/avatars/avatar_s.png HTTP/2.0                     |      87 |
    | GET /styles/corp/xenforo/avatars/avatar_l.png HTTP/2.0                     |      86 |
    


    Code (Text):
    zcat -f /home/nginx/domains/forum.XXXX.it/log/access.log* | ngxtop --no-follow top http_user_agent -i 'status == 200' -n10
    running for 162 seconds, 9519 records processed: 58.91 req/sec
    
    top http_user_agent
    | http_user_agent                                                                                                                          |   count |
    |------------------------------------------------------------------------------------------------------------------------------------------+---------|
    | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36                      |     808 |
    | Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)                                                                  |     776 |
    | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)                                                                 |     505 |
    | Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36                       |     432 |
    | Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1  |     254 |
    | Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1 |     240 |
    | Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)                                                                            |     216 |
    | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36                                   |     215 |
    | Mozilla/5.0 (compatible; proximic; +https://www.comscore.com/Web-Crawler)                                                                |     212 |
    | Mediapartners-Google                                                                                                                     |     208 |
    
     
  13. eva2000

    eva2000 Administrator Staff Member

    37,214
    8,127
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,513
    Local Time:
    8:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    might want to check just for April 2018 for average bytes sent, http status code 200, 404, 444 and >= 500 based requests and http user agent strings - that should give you an idea of what path/urls were hit most. That only gives you an idea of if it was xenforo or wordpress related to start with.
    Code (Text):
    service nginx reload
    domain=yourdomain.com
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow --order-by 'avg(bytes_sent) * count'
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 200' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 404' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status == 444' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top request -i 'status >= 500' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 200' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 404' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status == 444' -n10
    
    zcat -f /home/nginx/domains/$domain/log/access.log* | grep 'Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status >= 500' -n10
    
     
  14. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    Hi no, the VMs are two.
    1 Xenphorus
    1 Wordpress

    Right now I have 100% nginx on the VM with Xenforo and 3 Wordpress Website (which do not make traffic) I took advantage of it to analyze all the logs and these are the results:

    Code (Text):
    tail -10 /var/log/lfd.log
    Apr  7 17:45:32 vip03 lfd[16184]: 115.84.91.49 (LA/Laos/-), 5 distributed sshd attacks on account [admin] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    Apr  7 18:00:11 vip03 lfd[17197]: *SSH login* from 93.54.74.62 into the root account using password authentication
    Apr  7 19:10:12 vip03 lfd[21323]: (sshd) Failed SSH login from 42.7.26.60 (CN/China/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]
    Apr  7 19:21:52 vip03 lfd[22055]: 41.188.109.6 (MR/Mauritania/-), 7 distributed sshd attacks on account [root] in the last 3600 secs - *Blocked in csf* [LF_DISTATTACK]
    Apr  7 19:22:52 vip03 lfd[22140]: 204.9.200.244 (US/United States/204.9.200.244.uscolo.com), 5 distributed sshd attacks on account [admin] in the last 3600 secs - *Blocked in csf* [LF_DIS                                                TATTACK]
    Apr  7 19:22:52 vip03 lfd[22140]: 119.237.22.63 (HK/Hong Kong/n11923722063.netvigator.com), 5 distributed sshd attacks on account [admin] in the last 3600 secs - *Blocked in csf* [LF_DIST                                                ATTACK]
    


    Code (Text):
     tail -10 /var/log/messages
    Apr  7 19:47:40 vip03 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:13:c5:3c:08:00 SRC=193.183.98.226 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=50611 DF PROTO=UDP SPT=34999 DPT=1900 LEN=181
    Apr  7 19:47:40 vip03 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:13:c5:3c:08:00 SRC=193.183.98.226 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=50612 DF PROTO=UDP SPT=34999 DPT=1900 LEN=181
    Apr  7 19:47:46 vip03 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:e2:ab:6d:00:01:e8:d8:cc:2b:08:00 SRC=181.214.87.17 DST=193.183.XXX.XXX LEN=40 TOS=0x08 PREC=0x40 TTL=242 ID=40534 PROTO=TCP SPT=45846 DPT=5701 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  7 19:47:54 vip03 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:e2:ab:6d:00:01:e8:d8:cc:2b:08:00 SRC=181.214.87.17 DST=193.183.XXX.XXX LEN=40 TOS=0x08 PREC=0x40 TTL=242 ID=39665 PROTO=TCP SPT=45846 DPT=5682 WINDOW=1024 RES=0x00 SYN URGP=0
    Apr  7 19:47:56 vip03 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:e2:ab:6d:00:01:e8:d8:cc:2b:08:00 SRC=183.131.83.112 DST=193.183.XXX.XXX LEN=40 TOS=0x08 PREC=0x20 TTL=88 ID=256 PROTO=TCP SPT=6000 DPT=8090 WINDOW=16384 RES=0x00 SYN URGP=0
    Apr  7 19:48:02 vip03 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:e2:ab:6d:00:01:e8:d8:cc:2b:08:00 SRC=185.165.31.114 DST=193.183.XXX.XXX LEN=68 TOS=0x00 PREC=0x00 TTL=249 ID=54321 PROTO=UDP SPT=57052 DPT=111 LEN=48
    Apr  7 19:48:10 vip03 kernel: nginx[23327]: segfault at 30 ip 00007fc52f461959 sp 00007ffceb034090 error 4 in ngx_http_brotli_filter_module.so[7fc52f460000+3000]
    Apr  7 19:48:40 vip03 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:13:c5:3c:08:00 SRC=193.183.98.226 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=50613 DF PROTO=UDP SPT=34999 DPT=1900 LEN=181
    Apr  7 19:48:40 vip03 kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:16:3e:13:c5:3c:08:00 SRC=193.183.98.226 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=50614 DF PROTO=UDP SPT=34999 DPT=1900 LEN=181
    Apr  7 19:48:53 vip03 kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3e:e2:ab:6d:00:01:e8:d8:cc:2b:08:00 SRC=181.214.87.17 DST=193.183.XXX.XXX LEN=40 TOS=0x08 PREC=0x40 TTL=242 ID=7938 PROTO=TCP SPT=45846 DPT=5351 WINDOW=1024 RES=0x00 SYN URGP=0
    


    Code (Text):
    tail -10 /var/log/php-fpm/www-error.log
    [07-Apr-2018 13:43:52] WARNING: [pool www] server reached max_children setting (24), consider raising it
    [07-Apr-2018 13:51:18] WARNING: [pool www] server reached max_children setting (24), consider raising it
    [07-Apr-2018 16:40:40] WARNING: [pool www] server reached max_children setting (24), consider raising it
    


    Code (Text):
    running for 706 seconds, 3 records processed: 0.00 req/sec
    
    Summary:
    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |---------+------------------+-------+-------+-------+-------|
    |       3 |        22600.000 |     2 |     0 |     1 |     0 |
    
    Detailed:
    | request_path                                                    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |-----------------------------------------------------------------+---------+------------------+-------+-------+-------+-------|
    | /news/god-of-war-4-2018-3129/                        |       1 |        14548.000 |     1 |     0 |     0 |     0 |
    | /news/ps4-pro-2303/amp/ |       1 |        53064.000 |     1 |     0 |     0 |     0 |
    | /wp-login.php                                                   |       1 |          188.000 |     0 |     0 |     1 |     0 |
    

    Code (Text):
    running for 810 seconds, 314 records processed: 0.39 req/sec
    
    Summary:
    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |---------+------------------+-------+-------+-------+-------|
    |     314 |        73101.994 |   289 |    11 |    14 |     0 |
    
    Detailed:
    | request_path                                                                 |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |------------------------------------------------------------------------------+---------+------------------+-------+-------+-------+-------|
    | /feed                                                                        |      12 |        23655.500 |     6 |     6 |     0 |     0 |
    | /wp-cron.php                                                                 |      10 |           28.400 |    10 |     0 |     0 |     0 |
    | /wp-content/uploads/2017/02/Renegade.jpg                                |       6 |       197900.000 |     6 |     0 |     0 |     0 |

    Code (Text):
    running for 868 seconds, 7 records processed: 0.01 req/sec
    
    Summary:
    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |---------+------------------+-------+-------+-------+-------|
    |       7 |         5794.857 |     7 |     0 |     0 |     0 |
    
    

    Code (Text):
    running for 1242 seconds, 5916 records processed: 4.76 req/sec
    
    Summary:
    |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |---------+------------------+-------+-------+-------+-------|
    |    5916 |        42889.873 |  5450 |   292 |   174 |     0 |
    
    Detailed:
    | request_path                                       |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
    |----------------------------------------------------+---------+------------------+-------+-------+-------+-------|
    | /css.php                                           |    1063 |         8903.129 |  1007 |     4 |    52 |     0 |
    | /mobiquo/mobiquo.php                               |     297 |         4016.384 |   296 |     0 |     1 |     0 |
    | /styles/themealfa/logo_forum.png          |     166 |        12001.163 |   164 |     0 |     2 |     0 |
    | /images/googleplay.png                      |     165 |         1718.582 |   164 |     0 |     1 |     0 |
    | /images/newsletter.png                      |     165 |         1641.600 |   164 |     0 |     1 |     0 |
    | /images/appstore.png                        |     163 |         1885.436 |   162 |     0 |     1 |     0 |
    | /styles/corp/xenforo/avatars/avatar_l.png          |     137 |          760.496 |   136 |     0 |     1 |     0 |
    | /mobiquo/avatar.php                                |     113 |            0.221 |    96 |    17 |     0 |     0 |
    | /styles/default/xenforo/xenforo-smilies-sprite.png |     110 |         8130.291 |   109 |     0 |     1 |     0 |
    | /styles/default/xenforo/clear.png                  |     108 |          135.731 |   107 |     0 |     1 |     0 |
    


    Code (Text):
    netstat -an | grep :80 | sort
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    tcp        0      0 127.0.0.1:46936         127.0.0.1:80            ESTABLISHED
    tcp        0      0 127.0.0.1:80            127.0.0.1:46936         ESTABLISHED
    tcp        0      0 193.183.XXX.XXX:443      176.200.108.252:8099    TIME_WAIT
    tcp        0      0 193.183.XXX.XXX:46606    54.221.213.164:80       TIME_WAIT
    tcp        0      0 193.183.XXX.XXX:80       169.60.28.106:59274     TIME_WAIT
    tcp        0      0 193.183.XXX.XXX:80       66.249.76.151:58289     TIME_WAIT
    tcp        0      0 193.183.XXX.XXX:80       66.249.76.54:39299      TIME_WAIT
    tcp        0      0 193.183.XXX.XXX:80       66.249.76.54:39648      ESTABLISHED
    tcp        0      0 193.183.XXX.XXX:80       66.249.76.54:62220      TIME_WAIT
    udp     4352      0 193.183.XXX.XXX:8056     8.8.8.8:53              ESTABLISHED
    

    Code (Text):
    netstat -n -p | grep SYN_REC | sort -u
    tcp        0      0 193.183.XXX.XXX:443      94.35.140.73:60423      SYN_RECV    -
    tcp        0      0 193.183.XXX.XXX:443      94.35.140.73:60424      SYN_RECV    -

    Code (Text):
    netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
    204.79.180.16
    95.238.122.109
    95.238.122.109
    

    Code (Text):
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
          1 109.23.151.62
          1 141.8.142.136
          1 151.15.31.145
          1 151.21.91.205
          1 151.30.177.167
          1 151.34.44.147
          1 151.35.125.186
          1 151.35.64.219
          1 151.37.52.181
          1 151.43.40.185
          1 151.43.73.139
          1 151.48.120.248
          1 151.60.19.154
          1 151.77.75.47
          1 158.148.198.123
          1 158.148.224.248
          1 158.148.245.63
          1 176.55.186.88
          1 188.216.109.136
          1 195.135.249.72
          1 204.79.180.10
          1 204.79.180.13
          1 204.79.180.14
          1 204.79.180.15
          1 204.79.180.18
          1 204.79.180.2
          1 204.79.180.23
          1 204.79.180.6
          1 204.79.180.8
          1 204.79.180.9
          1 207.46.13.66
          1 213.149.199.219
          1 2.224.165.151
          1 2.237.75.187
          1 2.38.179.244
          1 35.162.241.164
          1 37.182.14.114
          1 37.227.146.109
          1 37.77.120.199
          1 46.222.132.167
          1 46.229.168.65
          1 46.229.168.75
          1 46.229.168.78
          1 46.229.173.137
          1 5.102.14.113
          1 5.152.142.176
          1 5.168.30.166
          1 5.168.51.139
          1 5.169.157.171
          1 5.170.74.199
          1 52.36.73.123
          1 54.85.182.120
          1 5.90.122.218
          1 5.90.1.88
          1 5.90.237.2
          1 5.90.43.160
          1 5.90.58.195
          1 5.90.59.110
          1 5.90.71.160
          1 5.90.99.185
          1 5.92.1.67
          1 62.18.120.64
          1 62.19.211.187
          1 62.97.42.90
          1 66.249.64.8
          1 66.249.69.152
          1 66.249.76.139
          1 66.249.76.60
          1 79.11.51.206
          1 79.17.8.150
          1 79.21.194.153
          1 79.22.220.100
          1 79.22.75.198
          1 79.26.45.93
          1 79.42.4.243
          1 79.43.224.243
          1 79.49.38.46
          1 79.54.125.159
          1 79.54.16.243
          1 79.55.241.201
          1 80.182.160.146
          1 82.52.36.151
          1 82.54.204.200
          1 82.57.221.97
          1 82.60.85.6
          1 87.10.121.174
          1 87.15.20.162
          1 87.15.64.188
          1 87.17.166.91
          1 87.2.34.179
          1 87.8.146.6
          1 87.8.72.224
          1 88.36.185.244
          1 89.150.50.201
          1 91.182.158.44
          1 91.252.165.124
          1 91.253.29.234
          1 91.253.93.238
          1 93.147.89.124
          1 93.149.158.0
          1 93.150.136.73
          1 93.35.145.136
          1 93.35.163.140
          1 93.39.139.44
          1 93.40.1.146
          1 93.40.231.129
          1 93.42.96.91
          1 94.109.203.156
          1 94.34.171.48
          1 94.36.66.134
          1 95.236.191.246
          1 99.232.88.124
          1 Address
          1 servers)
          2 151.35.59.42
          2 151.38.124.232
          2 151.38.62.166
          2 151.41.204.208
          2 151.56.132.164
          2 176.184.188.23
          2 176.200.103.118
          2 176.200.216.27
          2 204.79.180.16
          2 204.79.180.19
          2 204.79.180.21
          2 204.79.180.22
          2 2.230.107.53
          2 2.34.122.189
          2 2.44.111.132
          2 2.46.226.168
          2 37.77.120.178
          2 5.168.40.24
          2 5.90.100.32
          2 5.90.61.5
          2 62.11.1.11
          2 66.249.69.151
          2 79.17.218.183
          2 79.47.9.189
          2 80.79.54.209
          2 86.120.235.21
          2 93.35.242.78
          2 93.42.67.44
          2 93.66.136.251
          2 94.161.134.17
          2 95.238.122.109
          3 151.43.65.188
          3 204.79.180.0
          3 87.17.178.201
          3 95.239.222.87
          5 66.249.76.41
          5 93.54.74.62
          6 213.146.191.132
          6 79.11.183.113
          8 66.249.76.39
         13 66.249.76.137
         18 8.8.8.8
        477 127.0.0.1
    

    Code (Text):
    netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
         16 8.8.8.8
          8 127.0.0.1
          5 93.54.74.62
          4 18.232.155.2
          3 93.41.38.203
          2 94.162.105.26
          2 93.39.143.57
          2 82.84.163.32
          2 79.25.255.20
          2 5.90.61.5
          2 5.90.197.130
          2 151.67.139.211
          2 151.41.204.208
          2 151.38.124.232
          2 151.34.60.126
          2 151.34.19.177
          1 95.250.67.213
          1 95.246.111.60
    

    Code (Text):
     netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
          1 109.115.25.114
          1 109.23.151.62
          1 146.241.145.194
          1 146.241.241.94
          1 151.15.31.145
          1 151.21.91.205
          1 151.29.211.211
          1 151.30.69.179
          1 151.38.36.35
          1 151.48.234.198
          1 151.66.180.101
          1 151.66.65.151
          1 151.68.107.167
          1 151.77.75.47
          1 151.82.55.249
          1 157.55.39.160
          1 158.148.82.152
          1 158.148.87.100
          1 158.193.201.211
          1 176.184.188.23
          1 178.175.47.226
          1 185.19.164.249
          1 185.85.24.39
          1 195.135.249.72
          1 204.79.180.0
          1 204.79.180.1
          1 204.79.180.15
          1 204.79.180.18
          1 204.79.180.20
          1 204.79.180.6
          1 204.79.180.8
          1 2.237.248.171
          1 2.237.29.158
          1 2.38.179.244
          1 35.173.192.71
          1 37.182.14.114
          1 46.229.168.73
          1 46.229.168.75
          1 46.229.168.80
          1 46.229.173.137
          1 5.102.5.205
          1 5.102.5.214
          1 5.152.142.176
          1 5.168.15.109
          1 5.168.7.36
          1 5.169.45.128
          1 5.170.142.120
          1 54.83.22.64
          1 5.90.179.82
          1 5.90.58.195
          1 62.11.0.151
          1 62.18.86.35
          1 62.18.88.32
          1 62.97.42.90
          1 62.98.180.114
          1 65.117.182.113
          1 66.249.64.8
          1 66.249.76.141
          1 66.249.76.41
          1 66.249.76.57
          1 66.249.76.58
          1 66.249.91.88
          1 78.21.245.176
          1 79.17.243.156
          1 79.17.247.14
          1 79.17.8.150
          1 79.19.34.61
          1 79.47.9.189
          1 79.49.38.46
          1 79.49.61.135
          1 82.57.221.97
          1 87.10.121.174
          1 87.13.84.103
          1 87.14.176.86
          1 87.15.64.188
          1 87.21.62.163
          1 87.2.188.114
          1 87.2.34.179
          1 87.3.184.154
          1 87.4.211.124
          1 87.8.91.224
          1 91.252.115.160
          1 91.252.137.13
          1 91.252.151.46
          1 91.253.121.107
          1 93.147.89.124
          1 93.148.60.36
          1 93.36.69.212
          1 93.40.1.146
          1 93.40.191.86
          1 93.40.193.194
          1 93.41.3.116
          1 93.42.67.44
          1 93.45.68.237
          1 93.55.201.13
          1 93.71.217.62
          1 94.33.22.140
          1 94.35.151.120
          1 95.238.145.200
          1 95.238.15.84
          1 95.255.37.154
          2 130.25.19.46
          2 151.19.157.201
          2 151.19.32.20
          2 151.35.21.235
          2 151.41.204.208
          2 151.50.176.100
          2 151.55.219.93
          2 151.68.114.7
          2 193.187.75.200
          2 204.79.180.21
          2 204.79.180.3
          2 5.170.0.7
          2 52.36.73.123
          2 5.90.118.189
          2 5.90.61.5
          2 62.11.1.11
          2 66.249.76.54
          2 66.249.91.87
          2 79.31.139.184
          2 79.49.64.40
          2 79.55.241.201
          2 93.32.131.125
          2 93.36.116.44
          2 93.39.137.64
          2 93.41.38.203
          2 94.161.134.17
          2 95.233.174.163
          2 95.246.216.174
          3 158.148.211.219
          5 93.54.74.62
          6 5.168.28.233
          7 66.249.76.39
          9
         12 66.249.76.137
         14 0.0.0.0
         17 8.8.8.8
        618 127.0.0.1
    


    Code:
    zcat -f /home/nginx/domains/forum.xxxxxxx.it/log/access.log* | grep '07/Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status >= 200' -n10
    running for 22 seconds, 289492 records processed: 12948.53 req/sec
    
    top http_user_agent
    | http_user_agent                                                                                                                          |   count |
    |------------------------------------------------------------------------------------------------------------------------------------------+---------|
    | Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)                                                                  |   26532 |
    | Googlebot-Image/1.0                                                                                                                      |   18684 |
    | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0                                                                |   13440 |
    | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36                      |   13034 |
    | Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0 Mobile/15D100 Safari/604.1 |   11412 |
    | Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 BYO-4/7.1.13                       |   10162 |
    | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)                                                                 |    8097 |
    | Mozilla/5.0 (compatible; proximic; +https://www.comscore.com/Web-Crawler)                                                                |    6990 |
    | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0                                                           |    6538 |
    | Mozilla/5.0 (compatible; GrapeshotCrawler/2.0; +http://www.grapeshot.co.uk/crawler.php)                                                  |    6014 |
    Code:
    zcat -f /home/nginx/domains/forum.xxxxx.it/log/access.log* | grep '07/Apr/2018' | ngxtop --no-follow top http_user_agent -i 'status >= 444' -n10
    running for 20 seconds, 1989 records processed: 101.68 req/sec
    
    top http_user_agent
    | http_user_agent                                                                                                                                  |   count |
    |--------------------------------------------------------------------------------------------------------------------------------------------------+---------|
    | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0                                                                   |    1036 |
    | Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0                                                                    |     257 |
    | Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0                                                                    |     170 |
    | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0                                                               |      94 |
    | Mozilla/5.0 (Windows NT 6.1; rv:59.0) Gecko/20100101 Firefox/59.0                                                                                |      89 |
    | Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0                                                                     |      76 |
    | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0                                                                        |      32 |
    | Mozilla/5.0 (Linux; Android 8.0.0; Mi A1 Build/OPR1.170623.026) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36 |      24 |
    | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:59.0) Gecko/20100101 Firefox/59.0                                                                |      17 |
    | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0                                                                         |      16 |
    


    Can you tell me what you think?
     
    Last edited: Apr 8, 2018
  15. eva2000

    eva2000 Administrator Staff Member

    37,214
    8,127
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,513
    Local Time:
    8:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    what's output for
    Code (Text):
    nginx -V
    

    from /var/log/messages, ngx_brotli is segfaulting it seems in nginx
    Code (Text):
    Apr  7 19:48:10 vip03 kernel: nginx[23327]: segfault at 30 ip 00007fc52f461959 sp 00007ffceb034090 error 4 in ngx_http_brotli_filter_module.so[7fc52f460000+3000]
    

    Try updating to latest 123.09beta01, run cmpupdate command and then recompiling centmin.sh menu option 4 to get the latest nginx version with latest ngx_brotli module and see. If still segfaulting (check timestamps in /var/log/messages against entries), then try recompile centmin.sh menu option 4 without ngx_brotli in /etc/centminmod/custom_config.inc
     
  16. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    I added 2 NgxTOP to the previous message at the end:
    Nginx and Cmupdate performed yesterday with recompilation to the latest version!

    Code (Text):
    nginx version: nginx/1.13.11
    built by gcc 7.2.1 20170829 (Red Hat 7.2.1-1) (GCC)
    built with OpenSSL 1.1.0h  27 Mar 2018
    TLS SNI support enabled
    configure arguments: --with-ld-opt='-L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/lib' --with-cc-opt='-I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.4.2 --add-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.31 --add-dynamic-module=../echo-nginx-module-0.61 --add-dynamic-module=../redis2-nginx-module-0.14 --add-module=../ngx_http_redis-0.3.7 --add-dynamic-module=../memc-nginx-module-0.18 --add-dynamic-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre=../pcre-8.42 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.0h --with-openssl-opt='enable-ec_nistp_64_gcc_128'
    



    do you seem regular?
    grabilla.153860.png
     
  17. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    Code (Text):
    cat /etc/centminmod/custom_config.inc
    NGINX_PAGESPEED=y
    NGINX_ZLIBCUSTOM='y'
    ORESTY_LUANGINX=n
    NGINX_XSLT='n'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_XSLT='n'
    NGXDYNAMIC_IMAGEFILTER='y'
    NGXDYNAMIC_GEOIP='n'
    NGXDYNAMIC_STREAM='y'
    NGXDYNAMIC_HEADERSMORE='y'
    NGXDYNAMIC_SETMISC='y'
    NGXDYNAMIC_ECHO='y'
    NGXDYNAMIC_SRCCACHE='y'
    NGXDYNAMIC_MEMC='y'
    NGXDYNAMIC_REDISTWO='y'
    NGXDYNAMIC_NGXPAGESPEED='y'
    NGXDYNAMIC_BROTLI='y'
    PHPMSSQL='y'
    PHP_PGO='y'
    PHP_PGO_CENTOSSIX='y'
    NGINX_DEVTOOLSETGCC='y'
    GENERAL_DEVTOOLSETGCC='y'
    CLANG='n'
    LIBRESSL_SWITCH='n'
    NGX_GSPLITDWARF='y'
    PHP_GSPLITDWARF='y'
    NGX_LDGOLD='y'
    
    
    # -----set = y to put nginx, php and mariadb major version updates into 503
    # maintenance mode https://community.centminmod.com/posts/26485/
    NGINX_UPDATEMAINTENANCE='y'
    PHP_UPDATEMAINTENANCE='y'
    MARIADB_UPDATEMAINTENANCE='y'
    
    LETSENCRYPT_DETECT='y'
    NGINX_DYNAMICTLS='n'
    CLOUDFLARE_ZLIB='y'
    NGINX_HPACK='y'
    
    CLOUDFLARE_PATCHSSL='y'    # set 'y' to implement Cloudflare's chacha20 patch https://github.com/cloudflare/sslconfig
    CLOUDFLARE_ZLIB='n'        # use Cloudflare optimised zlib fork https://blog.cloudflare.com/cloudflare-fights-cancer/
    CLOUDFLARE_ZLIBPHP='n'     # use Cloudflare optimised zlib fork for PHP-FPM zlib instead of system zlib
    OPENSSL_VERSION='1.1.0h'
    OPENSSLEQUALCIPHER_PATCH='n' # https://community.centminmod.com/posts/57916/
    
    
    #PHP Custom
    PHP_VERSION='7.1.16'
    GCCINTEL_PHP='y'
    PHPGEOIP_ALWAYS='n'
    


    pagespeed is compiled, but I do not use it at the moment.
     
  18. eva2000

    eva2000 Administrator Staff Member

    37,214
    8,127
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,513
    Local Time:
    8:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    127.0.0.1 is normal for request/visitor IP depending what is running

    try with ngx_brotli disabled and see but all monitoring tools outline at bottom of my post here are also useful to figure out where load is coming from
     
  19. eva2000

    eva2000 Administrator Staff Member

    37,214
    8,127
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,513
    Local Time:
    8:06 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    looks like bingbot and google image crawler bot related so rate limiting them by user agent might help
     
  20. upgrade81

    upgrade81 Premium Member Premium Member

    178
    9
    18
    Sep 5, 2016
    Italy
    Ratings:
    +13
    Local Time:
    11:06 PM
    1.13.8
    10
    ok, but I do not want to limit the "good" bots.
    Rather I move everything on a dedicated with more power, but this VM is a four core Xeon e-1650 v3 3.50ghz
     
..