listen deferred option
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 9 12:53:09 UTC 2015
Hello!
On Sat, Nov 07, 2015 at 08:28:29PM -0500, CJ Ess wrote:
> Just curious - if I am using the deferred listen option on Linux my
> understanding is that nginx will not be woken up until data arrives for the
> connection. If someone is trying to DDOS me by opening as many connections
> as possible (has happened before) how does that situation play out with
> deferred accepts?
>
> Currently I am not using the deferred option and I have timeouts set so
> that if complete request headers aren't received in a few seconds then the
> connection is closed, however with deffered accepts I don't believe nginx
> would be able to do that.
When using deferred accept, nginx instructs the kernel to defer
connections for just 1 second. After this time, the kernel will
pass connections to nginx for normal processing.
If there are too many connections waiting in deferred accept (more
than a socket backlog), syncookies will be used by the kernel if
enabled.
Note that this works slightly differently with old kernels (before
2.6.32), and in previous nginx versions (before 1.5.10). Some
additional information can be found in these commit logs:
http://hg.nginx.org/nginx/rev/fdb67cfc957d
http://hg.nginx.org/nginx/rev/05a56ebb084a
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list