Nginx: Prevent DoS by limiting worker processes/connections

denial-of-servicenginx

If I limit my nginx worker processes to 1 and allow for 500 connections, what happens if I exceed this limit? Does the server return a 503 Service Unavailable?

Basically, I'm trying to secure my system against DoS and do not expect more than 500 simultaneous connections per second.

Best Answer

How many cores your server has ? If you have two cores, i suggest you can set 2 workers and 250 conn. max.

max_clients = worker_processes * worker_connections

And Yes, the 501 connection will receive an error. But be carefull, a browser opens 2 connections by default.

EDIT: One more thing, you can set a max connection limit by IP (10 here) with

## Max conns for one ip
 limit_zone gulag $binary_remote_addr 5m;
 limit_conn gulag 10;

in /etc/nginx/nginx.conf

Related Solutions

Linux and nginx – Understanding Max File Descriptors and Best Value for worker_rlimit_nofile

worker_rlimit_nofile will set the limit for file descriptors for the worker processes as oppose to the user running nginx. If other programs running under this user will not be able to gracefully handle running out of file descriptiors then you should set this limit slightly less then what is for the user.

First, What is using your file descriptors?

Each active connection to a client
Using proxy_pass? That will open a socket to the host:port handling these requests
Using proxy_pass to a local port? Thats another open socket. (For the owner of that process)
static files being served by nginx

Why would the limit per worker be less than the OS limit?

This is controlled by the OS because the worker is not the only process running on the machine. To change it for the user running nginx see below. It would be very bad if your workers used up all of the file descriptors available to all processes, don't set your limits so that is possible.

#/etc/sysctl.conf
#This sets the value you see when running cat  /proc/sys/fs/file-max
fs.file-max = 65536"


#/etc/security/limits.conf
#this sets the defaults for all users
* soft nofile 4096
* hard nofile 4096

#This overrides the default for user `usernamehere`
usernamehere soft nofile 10240
usernamehere hard nofile 10240

After those security limit changes I believe I still had to increase the softlimit for the user using ulimit.

How do I find out what my limit is now?

ulimit -a Will display all the limits associated with the user you run it as.

NginX behavior when reaching maximum worker connections

No. Increase the amount of connections a worker may handle. 1024 is much lower than Nginx can handle.

If you need to limit the amount concurrent of concurrent requests passed to a back end then you need a 3rd party module like: https://github.com/ry/nginx-ey-balancer

Best Answer

Related Solutions

Linux and nginx – Understanding Max File Descriptors and Best Value for worker_rlimit_nofile

NginX behavior when reaching maximum worker connections

Related Topic