limit_conn before SSL handshake

Maxim Dounin mdounin at mdounin.ru
Tue Sep 10 12:29:32 UTC 2013


Hello!

On Mon, Sep 09, 2013 at 03:43:10PM -0700, Alan Hamlett wrote:

> Currently the limit_conn and limit_conn_zone config options have this
> context (can only be used inside these config scopes).
> context: http,server,location
> http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn
> 
> Those 2 configs have no way to prevent nginx from negotiating the SSL
> handshake, since they only apply after nginx has a HTTP request.
> This means the nginx server can become CPU bound by spending all it's time
> in SSL only to have the request dropped by limit_conn.
> 
> How about making limit_conn and limit_conn_zone be applied before the SSL
> handshake so precious CPU isn't spent negotiating an SSL session when the
> connection limit will end up blocking the request anyway?

If you want to limit total number of TCP connections from a given 
IP address, it's usually more effective to limit them at network 
layer.  Most firewalls can do it for you.  That's basically why 
limit_conn/limit_req doesn't do it - instead, they are designed to 
limit things at HTTP level.

Adding an option to limit TCP connections (and, likely, connection 
rate) in nginx itself might be intresting from configuration 
simplicity point of view - but it's mostly unrelated to 
limit_conn/limit_req.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx-devel mailing list