<div>You can also use ulimit but simple iptable/ipfw/pf will do the job</div><div><br></div><div><br><div class="gmail_quote"><div>On Tue, Apr 4, 2017 at 3:13 PM <<a href="mailto:lists@lazygranch.com">lists@lazygranch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You would probably want to also limit the number of connections per IP address, else one IP could lock up the entire site.<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
Original Message <br class="gmail_msg">
From: Valentin V. Bartenev<br class="gmail_msg">
Sent: Tuesday, April 4, 2017 1:58 PM<br class="gmail_msg">
To: <a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
Reply To: <a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
Subject: Re: Limit number of connections to server<br class="gmail_msg">
<br class="gmail_msg">
On Tuesday 04 April 2017 17:22:58 Kamil Gorlo wrote:<br class="gmail_msg">
> Hi,<br class="gmail_msg">
><br class="gmail_msg">
> is there a way to limit total number of open connections per listening port<br class="gmail_msg">
> in Nginx? I know that there is limit_conn module but as far as I understand<br class="gmail_msg">
> it only works on "request" layer, which means connections are counted only<br class="gmail_msg">
> when request headers have been already read.<br class="gmail_msg">
><br class="gmail_msg">
> I have problem when number of SSL connections to my server is very high<br class="gmail_msg">
> (CPU is 100% and server becomes unresponsive), and I would like to "cut"<br class="gmail_msg">
> new connections after some defined threshold is exceeded. It would possibly<br class="gmail_msg">
> save some CPU cycles needed to handle SSL handshake, etc.<br class="gmail_msg">
><br class="gmail_msg">
> Is it possible?<br class="gmail_msg">
><br class="gmail_msg">
<br class="gmail_msg">
You should use system firewall. Most of *nix systems have one out of the box.<br class="gmail_msg">
<br class="gmail_msg">
wbr, Valentin V. Bartenev<br class="gmail_msg">
<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
nginx mailing list<br class="gmail_msg">
<a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" class="gmail_msg" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
nginx mailing list<br class="gmail_msg">
<a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" class="gmail_msg" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br class="gmail_msg">
</blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature">Payam Tarverdyan Chychi<br>Network Security Specialist / Network Engineer</div>