Bear in mind one IP can be many eyeballs. I use the module with a setting of 10 per IP. I set the firewall to a higher limit to allow some non-web services, but not infinite. This can fight back a very unsophisticated DOS attack. A real DOS is distributed, so the IP limit won't be useful.
I had a document hit Twitter and their servers hammered my lowly VPS. Besides an IP limit, I suggest a rewrite to eliminate hot linking, which effectively is what Twitter can do. If they tweet a link to a webpage, no problem. That would limit those twitter users to each individually set their browser to a webpage, which slows the requests. Out of paranoia, I blocked all of Twitter IP space. The same for Facebook. Again, the eyeballs can use their ISP via a link. I'm not comfortable with social media companies directly accessing my server since they have huge data bandwidth. That leaves large corporations and universities as the situation where one IP is really many eyeballs. A connection limit of 10 will be too low in these cases occasionally, but you have to set the limit somewhere. Original Message From: Anoop Alias Sent: Friday, May 20, 2016 11:26 AM To: Nginx Reply To: [email protected] Subject: Re: CPU load monitoring / dynamically limit number of connections to server http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html - not system load based though -- Anoop P Alias _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
