Nginx Rate limiting for HTTPS requests

[rickGsp]

>>As I tried to explain in my previous message, "test runs for 60 
>>seconds" can have two different meanings: 1) the load is generated 
>>for 60 seconds and 2) from first request started to the last 
>>request finished it takes 60 seconds.

>>Make sure you are using the correct meaning. Also, it might 
>>be a good idea to look into nginx access logs to verify both time 
>>and numbers reported by your tool.

Yes Maxim, I had understood your point. My test actually ran for 60 to 65
seconds which means it took 5 additional seconds to process the requests.
Even access logs says the same. Also, on more powerful machine, I get
expected result for the same test i.e 500 req/sec load but start seeing
difference at relatively higher load.It seems to me that a results also
depends on the resources available on the machine running Nginx.
Surprisingly, CPU was not hitting the peak on both the machines.I am using
CentOS systems for this testings.

Actually in another test with plain HTTP requests, I observed the same issue
of more requests than expected getting processed. However, for HTTP case,
this behaviour appeared at 700 req/sec input load instead of 500 req/sec as
in HTTPS. In this test requests got processed within 60 secs.

With all the test results, I am being forced to think that Nginx rate
limiting may not be able to stop DDoS attack with very high input load but
is decent enough to handle sudden spikes and load which is slightly higher
than configured rate limit, and computing power available also plays some
role here. Do you think I am right?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279802,279874#msg-279874