Welcome! Log In Create A New Profile

Advanced

Re: Limiting number of client TLS connections

J Carter
November 25, 2023 05:56PM
No problem at all :)

One other suggestion if you do go down the double proxy + njs route. Keep an eye on the
nginx-devel mailing list (or nginx release notes) for this patch series
https://mailman.nginx.org/pipermail/nginx-devel/2023-November/QUTQYBNAHLMQMGTKQK57IXDXD23VVIQO.html

The last patch in the series will make proxying from stream to http significantly
more efficient, if merged.

On Sat, 25 Nov 2023 16:03:37 +0800
Zero King <l2dy@aosc.io> wrote:

> Hi Jordan,
>
> Thanks for your suggestion. I will give it a try and also try to push
> our K8s team to implement a firewall if possible.
>
> On 20/11/23 10:33, J Carter wrote:
> > Hello,
> >
> > A self contained solution would be to double proxy, first through nginx stream server
> > and then locally back to nginx http server (with proxy_pass via unix socket, or to
> > localhost on a different port).
> >
> > You can implement your own custom rate limiting logic in the stream server with NJS
> > (js_access) and use the new js_shared_dict_zone (which is shared between workers) for
> > persistently storing rate calculations.
> >
> > You'd have additional overhead from the stream tcp proxy and the njs, but it
> > shouldn't be too great (at least compared to overhead of TLS handshakes).
> >
> > Regards,
> > Jordan Carter.
> >
> > ________________________________________
> > From: nginx <nginx-bounces@nginx.org> on behalf of Zero King <l2dy@aosc.io>
> > Sent: Saturday, November 18, 2023 6:44 AM
> > To: nginx@nginx.org
> > Subject: Limiting number of client TLS connections
> >
> > Hi all,
> >
> > I want Nginx to limit the rate of new TLS connections and the total (or
> > per-worker) number of all client-facing connections, so that under a
> > sudden surge of requests, existing connections can get enough share of
> > CPU to be served properly, while excessive connections are rejected and
> > retried against other servers in the cluster.
> >
> > I am running Nginx on a managed Kubernetes cluster, so tuning kernel
> > parameters or configuring layer 4 firewall is not an option.
> >
> > To serve existing connections well, worker_connections can not be used,
> > because it also affects connections with proxied servers.
> >
> > Is there a way to implement these measures in Nginx configuration?
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > https://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Limiting number of client TLS connections

Zero King November 18, 2023 01:46AM

Re: Limiting number of client TLS connections

Maxim Dounin November 18, 2023 07:12PM

Re: Limiting number of client TLS connections

Zero King November 20, 2023 10:30AM

Re: Limiting number of client TLS connections

Maxim Dounin November 21, 2023 03:18PM

RE: Limiting number of client TLS connections

Reinis Rozitis November 19, 2023 04:04PM

Re: Limiting number of client TLS connections

J Carter November 19, 2023 09:34PM

Re: Limiting number of client TLS connections

Zero King November 25, 2023 03:04AM

Re: Limiting number of client TLS connections

J Carter November 25, 2023 05:56PM

Re: Limiting number of client TLS connections

J Carter December 08, 2023 03:40PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 273
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready