| But again, if you have a particular IP behaving badly, and limiting for that IP kicks in, I say they get what they deserve. The goal of limiting resources to one particular IP is to prevent other users from having degraded service. That said, I did set up my limiting for each location with the idea that I could at some point fine tune things. Trawling the interwebs, request limiting shows up in anti-ddos "hints" for nginx.conf set up. In reality, I doubt they do much good for a real distributed attack, but they do limit a particular IP from hogging resources. (One IP could be many different eyeballs sitting behind a router, so you don't want to get too restrictive.) What looks to me to be a real resource hog that quite frankly you cant do much about are download managers. They open up multiple connections, but the rate limits apply to each individual connection. (this is why you want to limit the number of connections.) You can detect their user agents. I set up my nginx.conf to return a 444 when I see a wget, python, curl, etc. I haven't bothered to flag go!zilla or all the known download managers because I don't see evidence of them being used. I have scripts to pull the "444" hits off the access log. Any IP that is not from "eyeballs" such as VPS, colo, etc. gets added to my firewall blocking list.
You can put limit_req in a location, for example do not limit static files and only limit expensive backend hits, or use two different thresholds. On Fri, Sep 9, 2016 at 3:39 AM, <li...@lazygranch.com> wrote: Since this limit is per IP, is the scenario you stated really a problem? Only that IP is effected. Or as is often the case, did I miss something? | ||
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
