Using 444

Paul paul at stormy.ca
Sat Sep 27 22:28:15 UTC 2025 

On 9/27/25 14:44, Bernard Rosset via nginx wrote:
>> Again thanks, I had tried various 'location' lines such as
>>      limit_req_zone $binary_remote_addr zone=mylimit:5m rate=1r/s;
>>      limit_req zone=mylimit burst=5 nodelay;
>>
>> without success... obviously haven't fully understood
> 
> I would suggest to read https://freenginx.org/en/docs/http/ 
> ngx_http_limit_req_module.html again; sometimes details only "click" 
> after on a n-th read.

Merci bien, d'un ancien matheux de l'U. de Clermont-Ferrand (maintenant 
Blaise-Pascal.)

That document 
<https://freenginx.org/en/docs/http/ngx_http_limit_req_module.html> 
together with 
<http://freenginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size> 
are the ones that I am hoping to put into effect.  "In production" 
swapping between a fairly fast backend, and a slightly slower "backup", 
I'm being cautious.
> 
> You mentioned 250k requests/day, but you did not characterise the 
> population spread.

Not sure if I actually said that, but somewhat close.  Real user 
requests (the site has been running for fifteen years or so) are 
probably around 150k, add longstanding "bots" (Duck, Google, Bing...) 
and the number sometimes doubles.  These requests are mostly well-formed.

Recently, analysis of nginx front-end logs, shows up to 1,250k requests 
per hour.   Regrouping down to first 2 or 3 elements of each IP dotted 
quad has allowed me to deny a significant number of /10 and /11 networks 
(as a charity, we're not happy with the discrimination, but tech 
survival is relevant.)

This is also "whack-a-mole" -- you asked for "population spread" (my 
comfort level in politics is low), but the spread is somewhat close to 
world population - led by China, Pakistan, Vietnam, Brazil and 
Microsoft.  Conspicuously absent are Russia and Google.  This is pure 
math in my microcosm.

> My concern there would be if you 5 mebibytes storage is enough to handle 
> all the IP addresses you're trying to rate-limit: per documentation 
> (calculus details in there), one mebibyte stores either 16k IPv4 or 8k 
> IPv6.
> Overflow is dealt with LRU.

We're not seeing much IPv6 activity (and maybe I should just deny it?) 
and LRU shouldn't be a concern (it might balance out with the denies?)

Can you suggest explicit code that I can try in a production 
environment. That would be truly appreciated.

Tnx, merci, spaceeba,
Paul

   \\\||//
    (@ @)
ooO_(_)_Ooo__________________________________
|______|_____|_____|_____|_____|_____|_____|_____|
|___|____|_____|_____|_____|_____|_____|_____|____|
|_____|_____| mailto:paul at stormy.ca _|____|____|

More information about the nginx mailing list