<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div id="yiv1702364977"><div><div style="background-color: rgb(255, 255, 255); font-family: 'times new roman', 'new york', times, serif;"><div id="yiv1702364977yui_3_7_2_17_1358017543844_49" style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><span style="font-size:12pt;" id="yiv1702364977yui_3_7_2_17_1358017543844_73">> Request URI isn't known in advance, and therefore it's not </span><br></div><div id="yiv1702364977yui_3_7_2_17_1358017543844_54" class="yiv1702364977yui_3_7_2_17_1358017543844_53" style="font-family: 'times new roman', 'new york', times, serif;"><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;" class="yiv1702364977yui_3_7_2_17_1358017543844_57"
id="yiv1702364977yui_3_7_2_17_1358017543844_76"><span style="font-size:12pt;">></span><span style="font-size:12pt;" id="yiv1702364977yui_3_7_2_17_1358017543844_79"> </span>possible to set different header timeouts for different locations. <br>> Moreover, please note it only works for _default_ server on the <br>> listen socket in question (as virtual host isn't
known as well).<br><br>> Once request headers are got from client and you know the request <br>> isn't legitimate, you may just close the connection by using<br><br>> return 444;<br><br>Thanks. I tested this. I think in some ways it is worse. In one way it seems better because with 444 I do not get a 408 from Nginx 60 seconds later.</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;" class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;" class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">However, sending the 444 causes Chrome to try multiple times in a row. For instance just entering https://mydomain/ one
time in the browser and not refreshing the page at all gives this:</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;" class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76"><br></div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76"><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">"[12/Jan/2013:15:10:33 -0500]" "GET / HTTP/1.1" "444" "0" "443" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" "0.055" "-" "-" "-"</div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">"[12/Jan/2013:15:10:35 -0500]" "GET /
HTTP/1.1" "444" "0" "443" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" "1.683" "-" "-" "-"</div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">"[12/Jan/2013:15:10:35 -0500]" "GET / HTTP/1.1" "444" "0" "443" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" "0.029" "-" "-" "-"</div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">"[12/Jan/2013:15:10:35 -0500]" "GET / HTTP/1.1" "444" "0" "443" "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52 Safari/537.17" "0.020" "-" "-" "-"</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div
style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">So it seems that returning the 444 makes Chrome want to try 4 more times before giving up. That's got to be worse than with the 403 and it trying once but keeping the connection, you think?</div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"><br></div><div style="color: rgb(0, 0, 0); font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;">I am wondering if I am concerning myself too much with this 60 second delay before nginx closes the connection. I can probably use client_header_timeout at 15s and still have that be safe and so the connection doesn't stay more than 15 seconds before Nginx closes it out. But I still wonder if having this connection stick around is wasting resources?</div><br>> This depends on the OS you are using. E.g. on FreeBSD
"vmstat -z" <br><font size="3">> will show something like this:</font></div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76"><br></div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52" id="yiv1702364977yui_3_7_2_17_1358017543844_76">> This isn't a problem if you have properly tuned <br><font size="3">> system and enough memory, but if you are trying to keep lots of </font><br><font size="3">> connections alive - you may want to start counting.</font><br><br>Sorry I should have specified I am on Fedora Core 17. It has a vmstat but no -z option? Anyway, in looking at the output, how can one determine whether the amount of sockets and such being held is nearing the OS limits?<br><font size="3"><br></font></div><div class="yiv1702364977yui_3_7_2_17_1358017543844_57 yui_3_7_2_16_1358021389228_52"
id="yiv1702364977yui_3_7_2_17_1358017543844_76">Thanks again! </div> </div> </div></div></div></div></body></html>