NODEBB: Nginx error performance & High CPU

DownPW

For your information @phenomlab ,

• I have ban via iptables suspicious ip address find on /etc/nginx/accesss.log and virtualhost access.log like this : iptables -I INPUT -s IPADDRESS -j DROP
• Activate bot option on CF
• Create contry rules (Russie and China) on CF WAF
• I left under attack mode option activated on CF
• I have just change nginx.conf like this for test (If you have best value, I take it ! ) :

worker_rlimit_nofile 70000; 

events {

	worker_connections 65535;
	multi_accept on; 
}

http {

	##
	# Basic Settings
	##

	limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; 
	limit_req zone=flood burst=100 nodelay; 
	limit_conn_zone $binary_remote_addr zone=ddos:10m; 
	limit_conn ddos 100;

100r/s iit’s already a lot !!

and for vhost file :

server {
	.....

        location / {
				
				limit_req zone=flood; #Test 
				limit_conn ddos 100; #Test 
}

–> If you have other ideas, I’m interested
–> If you have better values ​​to use in what I modified, please let me know.

phenomlab

@DownPW my only preference would be to not set worker_connections so high

DownPW

@phenomlab

Ok so what value do you advise?

phenomlab

@DownPW you should base it on the output of ulimit - see below

https://linuxhint.com/what-are-worker-connections-nginx/#:~:text=The worker_connections are the maximum,to accommodate a higher value

With that high value you run the risk of overwhelming your server.

DownPW

@phenomlab

Thanks mark

My ulimit is 1024, so I will set it to 1024

phenomlab

@DownPW And the worker_processes value ? I expect this to be between 1 and 4 ?

DownPW

@phenomlab

worker_processes auto;

phenomlab

@DownPW ok. You should refer to that some article I previously provided. You can probably set this to a static value.

DownPW

@phenomlab

Ok I will see it for better worker_processes value

I add a rate limite request and limit_conn_zone on http block and vhost block :

– nginx.conf:

http {

	#Requete maximun par ip 
	limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; 
	#Connexions maximum par ip 
	limit_conn_zone $binary_remote_addr zone=ddos:1m;

-- vhost.conf :
        location / {
				
				limit_req zone=flood burst=100 nodelay; 
				limit_conn ddos 10;

–> I have test other value for rate and burst but they cause problem access to the forum. If you have better, I take it

I add today a proxy_read_timeout on vhost.conf (60 by default)

proxy_read_timeout 180;

I have deactivate underattack mode on CF and change for high Level

I have add other rules on CF waf :

phenomlab

@DownPW what settings do you have in advanced (in settings) for rate limit etc?

DownPW

@phenomlab said in NODEBB: Nginx error performance & High CPU:

@DownPW what settings do you have in advanced (in settings) for rate limit etc?

In cloudflare ?

DownPW

@phenomlab

I wanted to test awstats on virtualmin with root account and it hasn’t updated since August 2022.

I wanted to regenerate the files but I have a problem of rights.

What do you think ? and how t ore-generate a rapport correctly

I would like to use it to better manage the @ips that connect to the server

phenomlab

@DownPW no, sorry - in NodeBB ACP

phenomlab

@DownPW from recollection, awstats is accessible via the web front end, so (for example) https://mydomain.com/awstats

However, as you are pushing everything into a reverse proxy you’ll need to add a custom route in the nginx.conf file you are using on the website so this can be rendered outside of NodeBB.

DownPW

@phenomlab said in NODEBB: Nginx error performance & High CPU:

@DownPW no, sorry - in NodeBB ACP

Here is the value

phenomlab

@DownPW what is the result of disabling it altogether? That will resolve the 503 rate limit error but could we leave the system exposed to bring overwhelmed.

phenomlab

@DownPW you should also review this

https://docs.nodebb.org/configuring/scaling/

In particular, the part concerning proxied assets.

DownPW

@phenomlab said in NODEBB: Nginx error performance & High CPU:

@DownPW from recollection, awstats is accessible via the web front end, so (for example) https://mydomain.com/awstats

However, as you are pushing everything into a reverse proxy you’ll need to add a custom route in the nginx.conf file you are using on the website so this can be rendered outside of NodeBB.

Thats why I have a permission error like the screen? Odd

Nope, Awstats is accessible like this via Virtualmin:

https://XXXX:8443/virtualmin-awstats/view.cgi?config=XXXXXX.XX

I have jsut an error of permission whe nI test to regenerate a Report because the script can’t access to log file

DownPW

@phenomlab said in NODEBB: Nginx error performance & High CPU:

@DownPW what is the result of disabling it altogether? That will resolve the 503 rate limit error but could we leave the system exposed to bring overwhelmed.

Disabling What ? Traffic management? HSTS ?

phenomlab

@DownPW said in NODEBB: Nginx error performance & High CPU:

Thats why I have a permission error like the screen? Odd

No, not at all. That error is because www-data owns the files when it should be the account you are using to run the website itself under.