<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">During a busier part of the day, what is your minimum, median,99%, max requests per sec?<div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jul 30, 2017, at 9:31 AM, Vlad K. <<a href="mailto:nginx-ml@acheronmedia.hr" class="">nginx-ml@acheronmedia.hr</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><br class=""><blockquote type="cite" class="">If you open the status page in a browser do the numbers report match<br class="">what you see with netstat?<br class=""></blockquote><br class="">Waiting does:<br class=""><br class=""># netstat -n | grep -E "tcp4|tcp6" | grep ESTABLISHED | wc -l \<br class=""> && echo "----------------------------" \<br class=""> && fetch -qo - <a href="http://10.0.0.4/nginx_status" class="">http://10.0.0.4/nginx_status</a><br class=""><br class=""> 82<br class="">----------------------------<br class="">Active connections: 89<br class="">server accepts handled requests<br class=""> 669843 669843 3158515<br class="">Reading: 0 Writing: 22 Waiting: 82<br class=""><br class="">And I ran it a few times with several minutes in between, the above is just an example from the last run. This is inside the nginx jail, so grepping tcp4|tcp6 shows only connections to the nginx server.<br class=""><br class="">Now, the part I don't quite understand is whether Active = Reading + Writing + Waiting. The above certainly doesn't seem to suggest so.<br class=""></div></div></blockquote><div><br class=""></div><div><br class=""></div><div>So when you look at two different documentation pages explaining the status page,</div><div> they both show that <b class="">Active = Reading + Writing + Waiting</b></div><div><br class=""></div><div><a href="https://www.cyberciti.biz/faq/nginx-enable-and-see-current-status-page/" class="">https://www.cyberciti.biz/faq/nginx-enable-and-see-current-status-page/</a></div><div><a href="https://www.keycdn.com/support/nginx-status/" class="">https://www.keycdn.com/support/nginx-status/</a></div><div><br class=""></div><div><br class=""></div><div>I think that suggests that, in your environment, Writing = “really writing” + “leaked sockets that nginx thinks are writing"</div><div><br class=""></div><div><div>I’m pretty confident that this is a bug, because of the shape of the graph. There's no obvious healthy explanation for the </div><div>number of writing connections to increase over days and return to its current value after a restart.</div><div class=""><br class=""></div></div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">Do you have a hypothesis that explains<br class="">why the graph could jump back to 12/13, rather than spend a few days<br class="">increasing linearly in the way it did from<br class="">the 18th to the 23rd?<br class=""></blockquote><br class="">Bots crawling the sites, pacing themselves over a longer time frame so there's no correlation to daily sinusoid caused by live visitors. We do have a lot of resources on all those sites to crawl through. They're all real estate agency sites, and there are tens of thousands of pages with hundreds of thousands of images. And looking at the logs, quite a number of requests from bots (that are decent enough to say they're bots).<br class=""></div></div></blockquote><div><br class=""></div><div><br class=""></div><div>Last public site I worked on had approx 40% of requests from bots or spiders (including our own active testing) and only 1/2 of the 400 user agents that weren’t interactive browsers actually identified themselves. many pretended to be browsers, and might have been scripted browsers, but were easy to identify because of the pattern software the URLS they requested.</div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div class="">We've deviated a bit into assuming this is a bug or some unexpected behavior (my fault for suggesting it in the beginning). That's why all I wanted to do was to check which IPs are those that nginx considers "Writing" to. The only reason this caught my attention was apparently "flat" appearance of Writing, but now thinking about bots, this could be quite normal.<br class=""></div></div></blockquote><div><br class=""></div><div><br class=""></div><div><br class=""></div><div><br class=""></div><div><br class=""></div><div><br class=""></div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><br class=""><br class=""><blockquote type="cite" class="">How long was nginx down for? If you graph only the “writing”<br class="">variable for just 23rd July does the length of<br class="">time that the # of writing connections is thoughtto be 0 make sense?<br class=""></blockquote><br class="">It was only restarted. It appears the "offending" connections started showing up less than an hour later.<br class=""><br class=""><br class=""><blockquote type="cite" class="">I wonder whether what you are seeing could be a side-effect of the<br class="">server being in a FreeBSD jail?<br class=""></blockquote><br class="">I doubt it. I used to see this when the server was on Debian Jessie, but it was much less noticeable. Then again, back then we had much less traffic and much less content.<br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">Do any of the other nginx sites in other jails exhibit the same<br class="">behavior?<br class=""></blockquote><br class="">There is only one instance of nginx running on the server. Individual sites are only runing php-fpm or uwsgi in their jails.<br class=""><br class=""><br class=""><blockquote type="cite" class="">In FreeBSD jails is there an equivalent of Dom) in a XEN hypervisor? A<br class="">parent or root OS?<br class=""></blockquote><br class="">FreeBSD jails are OS-level virtualization. It's basically similar to containers on Linux but with more isolation (it's not just namespacing).<br class=""><br class=""><br class=""><blockquote type="cite" class="">If so, do you see all connections on al jails the you log into it? If<br class="">wondering if you are hitting some ulimit or<br class="">resource shortage on the host as a whole?<br class=""></blockquote><br class="">I don't think it's that, as limits are far above the current demands for traffic, and there's nothing logged about potential resource exhaustion.<br class=""><br class=""><br class=""><br class="">Thanks for helping me figure this out.<br class=""><br class=""><br class="">-- <br class="">Vlad K.<br class="">_______________________________________________<br class="">nginx mailing list<br class=""><a href="mailto:nginx@nginx.org" class="">nginx@nginx.org</a><br class="">http://mailman.nginx.org/mailman/listinfo/nginx</div></div></blockquote></div><br class=""></div></body></html>