CPU load monitoring / dynamically limit number of connections to server
lists at lazygranch.com
lists at lazygranch.com
Fri May 20 19:46:13 UTC 2016
Bear in mind one IP can be many eyeballs. I use the module with a setting of 10 per IP. I set the firewall to a higher limit to allow some non-web services, but not infinite. This can fight back a very unsophisticated DOS attack. A real DOS is distributed, so the IP limit won't be useful.
I had a document hit Twitter and their servers hammered my lowly VPS. Besides an IP limit, I suggest a rewrite to eliminate hot linking, which effectively is what Twitter can do. If they tweet a link to a webpage, no problem. That would limit those twitter users to each individually set their browser to a webpage, which slows the requests. Out of paranoia, I blocked all of Twitter IP space. The same for Facebook. Again, the eyeballs can use their ISP via a link. I'm not comfortable with social media companies directly accessing my server since they have huge data bandwidth.
That leaves large corporations and universities as the situation where one IP is really many eyeballs. A connection limit of 10 will be too low in these cases occasionally, but you have to set the limit somewhere.
Original Message
From: Anoop Alias
Sent: Friday, May 20, 2016 11:26 AM
To: Nginx
Reply To: nginx at nginx.org
Subject: Re: CPU load monitoring / dynamically limit number of connections to server
http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html - not
system load based though
--
Anoop P Alias
_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list