Two options to look at in nginx.conf:
keepalive_timeout 60;
worker_connections 1024;
The first I found under the http block, and the second in the events block. You shouldn't have to tweak the worker_connections much, usually it's better to keep it high. The keepalive_timeout limits how long browsers can stay connected to your web server. This one boils down to balancing nginx's load and the user's "perceived" load time (which will go up if the user's browser keeps having to reconnect).
If you're using PHP on your site, you could also tweak PHP's settings related to your database software. That isn't directly related to HTTP flooding, but if you can tweak PHP's settings in such a way to optimize it's ability to use the database, PHP will be able to return stuff back to nginx quicker, which can in turn send stuff back to the users quicker, which means browsers can disconnected from nginx quicker, which will reduce nginx's load.
There's also robots.txt, to prevent well-behaved bots from crawling into certain spots, as well as nginx's 'internal' directive to keep it from sending files to the outside world, e.g.:
location = /some/config.php {
internal;
}
which also has an obvious advantage in help security. (Btw, /some/config.php is still accessible to nginx, just not to other people)
Aside from that, I can't really think of anything, aside from setting your firewall to limit how many connections can be made to the ports that nginx uses (most likely TCP ports 80 and 443), and possibly have a shell script that will flat-out block an IP address temporarily (through the firewall) if it makes too many connections at once.
--
Piki
