typical value(s) for stream/limit_conn

[Francis Daly]

On Mon, Sep 19, 2016 at 09:53:38AM -0400, itpp2012 wrote:

Hi there,

> Plenty of guidelines for http limit_conn but hardly any for stream, what
> would be a typical value in which cases?
> Has anyone done some log/connection analysis to determine what would be
> typical use?

"stream" is "arbitrary tcp connections". There is no "typical", I think.

If you are using "stream" to handle things that are typically one
long-lasting tcp connection, such as ssh-for-terminal, then you'll
probably be ok with a small number (unless you have multiple clients
appearing as the same "key" (often IP address).

If you are using "stream" to handle things that are typically many
overlapping short-lasting tcp connections (simple cgi mysql clients,
perhaps), then you'll probably want a bigger number.

But a number that is right in your environment for port 389 may be
completely wrong for port 37, for example.

If you are trying to limit based on avoid-abuse, you will need to assess
what is "normal" in your case, and define something else as "too much".

If you are trying to limit based on avoid-overload, you will need to
assess what your backends can handle, and set the limit near that.

(In the latter case, you would presumably not limit based on
$binary_remote_addr, but on something static to limit the total number
of connections, I guess.)

> Atm. I'd say '5', but this is more a feeling then science.

5 could work.

5 per $remote_port might be too many.

This is very much "it depends".

Cheers,

	f
-- 
Francis Daly        francis at daoine.org