limit_conn before SSL handshake
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 10 12:29:32 UTC 2013
Hello!
On Mon, Sep 09, 2013 at 03:43:10PM -0700, Alan Hamlett wrote:
> Currently the limit_conn and limit_conn_zone config options have this
> context (can only be used inside these config scopes).
> context: http,server,location
> http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html#limit_conn
>
> Those 2 configs have no way to prevent nginx from negotiating the SSL
> handshake, since they only apply after nginx has a HTTP request.
> This means the nginx server can become CPU bound by spending all it's time
> in SSL only to have the request dropped by limit_conn.
>
> How about making limit_conn and limit_conn_zone be applied before the SSL
> handshake so precious CPU isn't spent negotiating an SSL session when the
> connection limit will end up blocking the request anyway?
If you want to limit total number of TCP connections from a given
IP address, it's usually more effective to limit them at network
layer. Most firewalls can do it for you. That's basically why
limit_conn/limit_req doesn't do it - instead, they are designed to
limit things at HTTP level.
Adding an option to limit TCP connections (and, likely, connection
rate) in nginx itself might be intresting from configuration
simplicity point of view - but it's mostly unrelated to
limit_conn/limit_req.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list