Explain limit_conn_zone $server_name in nginx

About

Asked 29/9, 2015 at 19:3 Answered 9/3, 2016 at 23:6

I am configuring nginx for basic DDoS protection. I want to use the limit_conn module as described in http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html. In particular I do not understand this example:

limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

server {
    ...
    limit_conn perip 10;
    limit_conn perserver 100;
}

The description is:

For example, the following configuration will limit the number of connections to the server per a client IP and, at the same time, the total number of connections to the virtual host

The first part is clear, I am allowing not more than 10 simultaneous connections from one IP.

But does the second rule mean, that I am only allowing 100 connections to my server? Because if it so, and the attacker just opens ~100 connections it would block everyone from accessing the server, effectively making DDoS attack succeed.

Raffish answered 29/9, 2015 at 19:3 Comment(1)

Yes. But it's just an example, you don't have to copy it – Hateful 29/9, 2015 at 21:56

Yes, the second rule means that you're going to allow no more than 100 simultaneous connections to that specific domain. However, considering you have also limited max connections per ip, the attacker will need to use different ip's to success with the attack.

I must add that limit_conn is just a way to mitigate an attack, but it won't be enough to mitigate a real DDoS attack.

You may want to look at these nginx directives: limit_req, limit_rate, client_body_timeout, client_header_timeout.

This article will show you that there is more to do in order to mitigate a DDoS attack: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Also, this article will point you to some configuration tips: https://www.nginx.com/blog/tuning-nginx/

Hope it helps.

Fogbound answered 9/3, 2016 at 23:6 Comment(3)

What does connection mean in this context? I set the variables to 1 and am still able to open multiple tabs of my website instantly. I am also able to open and maintain multiple socket connections. – Tepefy 18/3, 2021 at 12:52

@achhainsan no need to be offensive :/ I think my aswer responds what the user is asking, as it wasn't clear for him how the limit_conn directive work in that specific scenario. I'm not an Nginx expert but I have some experience, let me know if you consider that I should extend my answer with more details or maybe with a few examples, I'll be glad to do it. – Fogbound 12/9, 2023 at 11:23

limit_rate is rarely discussed, and has a confusing name, since it deals with bandwidth and not really rate limiting, but it's worth exploring. – Bowstring 27/3 at 18:15

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags