Nginx Rate limiting for HTTPS requests

Maxim Dounin mdounin at mdounin.ru
Mon May 21 12:12:44 UTC 2018 

Hello!

On Sun, May 20, 2018 at 04:24:21AM -0400, rickGsp wrote:

> >>As I tried to explain in my previous message, "test runs for 60 
> >>seconds" can have two different meanings: 1) the load is generated 
> >>for 60 seconds and 2) from first request started to the last 
> >>request finished it takes 60 seconds.
> 
> >>Make sure you are using the correct meaning. Also, it might 
> >>be a good idea to look into nginx access logs to verify both time 
> >>and numbers reported by your tool.
> 
> Yes Maxim, I had understood your point. My test actually ran for 60 to 65
> seconds which means it took 5 additional seconds to process the requests.
> Even access logs says the same. Also, on more powerful machine, I get
> expected result for the same test i.e 500 req/sec load but start seeing
> difference at relatively higher load.It seems to me that a results also
> depends on the resources available on the machine running Nginx.
> Surprisingly, CPU was not hitting the peak on both the machines.I am using
> CentOS systems for this testings.
> 
> Actually in another test with plain HTTP requests, I observed the same issue
> of more requests than expected getting processed. However, for HTTP case,
> this behaviour appeared at 700 req/sec input load instead of 500 req/sec as
> in HTTPS. In this test requests got processed within 60 secs.
> 
> With all the test results, I am being forced to think that Nginx rate
> limiting may not be able to stop DDoS attack with very high input load but
> is decent enough to handle sudden spikes and load which is slightly higher
> than configured rate limit, and computing power available also plays some
> role here. Do you think I am right?

I'm pretty sure the problem is with your tests, not with nginx 
request rate limiting.  Unfortunately, it is not possible to 
reproduce your tests and check what's going wrong as you are using 
proprietary software for tests.

As suggested previously, it might be a good idea to verify numbers 
using nginx access logs.  Seeing numbers of requests per seconds 
should be as trivial as 

grep ' 200 ' /path/to/log | awk '{print $4}' | uniq -c

assuming default log format and only test requests in the log.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list