Nginx Nginx Limit Requests

Glock · May 19, 2016

Hello all,
I was just wondering if anyone had any ideas how best to manage this on our server and what to do..

We have Nginx on Centos, and Centminmod for XF and when the site gets very busy I get a lof of 503 errors, now I understand why that happens even though I may not know 100% how to get around it..
However this afternoon and this evening, the server has dropped twice on me.
First I thought it was our hosts so contacted them - all fine their end, then I ran tracerts and the usual things.
It was the server, it shut down port 80..
When I downloaded the huge logs, it appears Nginx Limit requests had closed connections and shut up shop. I will admit, I am not an expert here but it brought the site down and in my logs I have thousands of lines of errors and timeouts.
From what I understand, the requests limit is great for anti DOS/DDOS but what about when the server/site gets busy..?
How do I enable a bit more connections without being fully exposed, but also without this kicking in and bringing the site down as it did twice this evening?

I had to force Nginx to restart again.
I need to brush up on my reading here I think...
Many thanks
Regards

eva2000 · May 19, 2016

Glock said: ↑

How do I enable a bit more connections without being fully exposed, but also without this kicking in and bringing the site down as it did twice this evening?
Click to expand...

trial and error really only way as logic dictates the rate limit has to be high enough to handle legit traffic. If you can handle the higher legit traffic request limit, it means you can handle the higher potential ddos request rate too

what request rate do you have current set as per Module ngx_http_limit_req_module ?

Glock · May 19, 2016

eva2000 said: ↑

trial and error really only way as logic dictates the rate limit has to be high enough to handle legit traffic. If you can handle the higher legit traffic request limit, it means you can handle the higher potential ddos request rate too

what request rate do you have current set as per Module ngx_http_limit_req_module ?
Click to expand...

Yes so a double edged sword.. Hmm.
Is this it @eva2000
limit_req_zone $binary_remote_addr zone=delta:8m rate=15r/s;

eva2000 · May 19, 2016

yes that defines the rate limit but you would have an accompanying limit_req entry in nginx vhost for where you want to rate limit to apply

15r/s is too low - an average nginx/php-fpm decently spec'd and configured server would be easily able to handle between 30-60 requests/s when it involves a php based web app with db backend calls and you don't need to rate limit everything in default server{} context just stuff that is resource intensive

i.e. limit_req zone=delta for only xenforo's /online requests using request limit defined by limit_req_zone set zone=delta
Code (Text):
  location = /online/ {
        limit_req zone=delta burst=30;
        try_files $uri $uri/ /index.php?$uri&$args;
}
and can have separate rate limits for different areas/directories
Code (Text):
limit_req_zone $binary_remote_addr zone=search:8m rate=15r/s;
limit_req_zone $binary_remote_addr zone=usersonline:8m rate=25r/s;
limit_req_zone $binary_remote_addr zone=login:8m rate=5r/s;

pamamolf · May 19, 2016

But how Nginx it knows that zone=login is for forum or site login?

Is there a related table with such entries and what we can use?

Didn't know that.....

eva2000 · May 19, 2016

read Module ngx_http_limit_req_module the limit_req defined zone=XXXX in your vhost is set the zone you create in limit_req_zone definition i.e. in above example to zone delta, online and login

Glock · May 19, 2016

eva2000 said: ↑
yes that defines the rate limit but you would have an accompanying limit_req entry in nginx vhost for where you want to rate limit to apply

15r/s is too low - an average nginx/php-fpm decently spec'd and configured server would be easily able to handle between 30-60 requests/s when it involves a php based web app with db backend calls and you don't need to rate limit everything in default server{} context just stuff that is resource intensive

i.e. only /online requests
Code (Text):
  location = /online/ {
        limit_req zone=delta burst=30;
        try_files $uri $uri/ /index.php?$uri&$args;
}
and can have separate rate limits for different areas/directories
Code (Text):
limit_req_zone $binary_remote_addr zone=search:8m rate=15r/s;
limit_req_zone $binary_remote_addr zone=usersonline:8m rate=25r/s;
limit_req_zone $binary_remote_addr zone=login:8m rate=5r/s;
Click to expand...
Hmm okay. I shall have to do some digging.
Matt set this up for me and I am unsure what he has set up in the config files.
I've downloaded a copy and made some changes myself ages ago, but aside from the phew changes I made (directory things) it's as he left it. So will have to adjust it going by this..
Thank you so much, it explains why the server and site goes potty when there's lots happening on there. I can't even download my database without the server coming to a crawl.
Thank you.

eva2000 · May 19, 2016

Glock said: ↑

Matt set this up for me and I am unsure what he has set up in the config files.
Click to expand...

ah ensure you backup the original settings so you can revert as you don't want to screw up @Matt's work

Glock · May 19, 2016

eva2000 said: ↑

ah ensure you backup the original settings so you can revert as you don't want to screw up @Matt's work
Click to expand...

I certainly will! Don't want to mess it up that's certain..

Glock · Jun 1, 2016

eva2000 said: ↑
yes that defines the rate limit but you would have an accompanying limit_req entry in nginx vhost for where you want to rate limit to apply

15r/s is too low - an average nginx/php-fpm decently spec'd and configured server would be easily able to handle between 30-60 requests/s when it involves a php based web app with db backend calls and you don't need to rate limit everything in default server{} context just stuff that is resource intensive

i.e. limit_req zone=delta for only xenforo's /online requests using request limit defined by limit_req_zone set zone=delta
Code (Text):
  location = /online/ {
        limit_req zone=delta burst=30;
        try_files $uri $uri/ /index.php?$uri&$args;
}
and can have separate rate limits for different areas/directories
Code (Text):
limit_req_zone $binary_remote_addr zone=search:8m rate=15r/s;
limit_req_zone $binary_remote_addr zone=usersonline:8m rate=25r/s;
limit_req_zone $binary_remote_addr zone=login:8m rate=5r/s;
Click to expand...
This is a lot for me to take in and work out. A bit over my head/depth. I have some serious homework to do.
Thank you again, I am noticing a lot of slow downs when the site gets busy and I have a really very good server so it definitely explains things.
Our server is a quad core (8 cores) 64GB RAM and 2tb of SSD's and fast Internet.. So it does explain why the site slows down.
Just a lot to take in and amend. But thank you again.

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Nginx Nginx Limit Requests

Glock New Member

eva2000 Administrator Staff Member

Glock New Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Glock New Member

eva2000 Administrator Staff Member

Glock New Member

Glock New Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Nginx Nginx Limit Requests

Glock New Member

eva2000 Administrator Staff Member

Glock New Member

eva2000 Administrator Staff Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Glock New Member

eva2000 Administrator Staff Member

Glock New Member

Glock New Member

.