Hello! On Sat, Nov 07, 2015 at 08:28:29PM -0500, CJ Ess wrote:
> Just curious - if I am using the deferred listen option on Linux my > understanding is that nginx will not be woken up until data arrives for the > connection. If someone is trying to DDOS me by opening as many connections > as possible (has happened before) how does that situation play out with > deferred accepts? > > Currently I am not using the deferred option and I have timeouts set so > that if complete request headers aren't received in a few seconds then the > connection is closed, however with deffered accepts I don't believe nginx > would be able to do that. When using deferred accept, nginx instructs the kernel to defer connections for just 1 second. After this time, the kernel will pass connections to nginx for normal processing. If there are too many connections waiting in deferred accept (more than a socket backlog), syncookies will be used by the kernel if enabled. Note that this works slightly differently with old kernels (before 2.6.32), and in previous nginx versions (before 1.5.10). Some additional information can be found in these commit logs: http://hg.nginx.org/nginx/rev/fdb67cfc957d http://hg.nginx.org/nginx/rev/05a56ebb084a -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
