> Rate limiting is a useful but crude tool that should only be one if four or five different things you do to protect your backend: > > 1 browser caching > 2 cDN > 3 rate limiting > 4 nginx caching reverse proxy > > What are your requests? Are they static content or proxied to a back end? > Do users login? > Is it valid for dynamic content built for one user to be returned to another?
I am mainly using it to do reverse proxy to the backend. >Do you use keepalive? Here is the cleaned up version of the configuration in use: # configuration file /etc/nginx/nginx.conf: user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 4096 ; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; client_header_buffer_size 64k; #tcp_nopush on; keepalive_timeout 65s; #gzip on; include /etc/nginx/conf.d/*.conf; limit_req_zone $host zone=perhost:10m rate=100r/s; limit_req zone=perhost burst=100 nodelay; upstream service_lb { server 127.0.0.1:8020; server 127.0.0.1:8021; } } worker_rlimit_nofile 10000; # configuration file /etc/nginx/conf.d/nginx_ssl.conf: server { listen 192.168.0.50:443 ssl backlog=1024; listen 127.0.0.1:443 ssl; ssl_certificate /etc/nginx/conf.d/nginx.crt; ssl_certificate_key /etc/nginx/conf.d/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers EECDH+AESGCM:EECDH+AES256:EECDH+AES128:EECDH+AES:kRSA+AESGCM:kRSA+AES:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256 :DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:!aNULL:!ADH:!eNULL:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!SEED; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:1024000; ssl_session_timeout 300; ssl_verify_client off; #charset koi8-r; access_log /var/log/nginx/access.log main; location /service/ { proxy_pass http://service_lb; break; } } Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279802,279879#msg-279879 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx