Limiting number of client TLS connections

J Carter jordanc.carter at outlook.com
Sat Nov 25 22:55:10 UTC 2023 

No problem at all :)

One other suggestion if you do go down the double proxy + njs route. Keep an eye on the
nginx-devel mailing list (or nginx release notes) for this patch series 
https://mailman.nginx.org/pipermail/nginx-devel/2023-November/QUTQYBNAHLMQMGTKQK57IXDXD23VVIQO.html

The last patch in the series will make proxying from stream to http significantly
more efficient, if merged.

On Sat, 25 Nov 2023 16:03:37 +0800
Zero King <l2dy at aosc.io> wrote:

> Hi Jordan,
> 
> Thanks for your suggestion. I will give it a try and also try to push 
> our K8s team to implement a firewall if possible.
> 
> On 20/11/23 10:33, J Carter wrote:
> > Hello,
> >
> > A self contained solution would be to double proxy, first through nginx stream server
> > and then locally back to nginx http server (with proxy_pass via unix socket, or to
> > localhost on a different port).
> >
> > You can implement your own custom rate limiting logic in the stream server with NJS
> > (js_access) and use the new js_shared_dict_zone (which is shared between workers) for
> > persistently storing rate calculations.
> >
> > You'd have additional overhead from the stream tcp proxy and the njs, but it
> > shouldn't be too great (at least compared to overhead of TLS handshakes).
> >
> > Regards,
> > Jordan Carter.
> >
> > ________________________________________
> > From: nginx <nginx-bounces at nginx.org> on behalf of Zero King <l2dy at aosc.io>
> > Sent: Saturday, November 18, 2023 6:44 AM
> > To: nginx at nginx.org
> > Subject: Limiting number of client TLS connections
> >
> > Hi all,
> >
> > I want Nginx to limit the rate of new TLS connections and the total (or
> > per-worker) number of all client-facing connections, so that under a
> > sudden surge of requests, existing connections can get enough share of
> > CPU to be served properly, while excessive connections are rejected and
> > retried against other servers in the cluster.
> >
> > I am running Nginx on a managed Kubernetes cluster, so tuning kernel
> > parameters or configuring layer 4 firewall is not an option.
> >
> > To serve existing connections well, worker_connections can not be used,
> > because it also affects connections with proxied servers.
> >
> > Is there a way to implement these measures in Nginx configuration?
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx at nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx  
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list