Patch against server DOS
double
nginx-forum at nginx.us
Fri Aug 15 18:16:12 UTC 2014
Hello,
My NGINX got a denial of service. The machine proxied large files using
"proxy_store".
Someone was creating an artifical request for a rarely used file, causing
NGINX to download a big file from upstream, then he immediately closed the
connection. NGINX continued to download this file.
Then he did the same again with some other rarely used file.
Within a couple of minutes I had thousands of connections, downloading huge
files from the backend.
My solution was, to add a small feature:
proxy_ignore_client_abort 10%;
If the server did not download at least 10% from the backend-machine, he
closes the connection to the backend as soon as the client closed the
connection to the server, even if "proxy_store" was used.
The patch:
http://doppelbauer.name/abort-upstream-161.patch
Thanks a lot
Markus
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252594,252594#msg-252594
More information about the nginx
mailing list