NODEBB: Nginx error performance & High CPU

phenomlab

@DownPW ok, good. Let’s see what the challenge does to the site traffic. Those whom are legitimate users won’t mind having to perform a one time additional authentication step, but bots of course will simply stumble at this hurdle.

DownPW

@phenomlab

number of user is better (408) but a lot of loose connexion. navigation is hard

DownPW

I have chaneg nginx conf with :

worker_rlimit_nofile 70000;

events {
worker_connections 65535;
multi_accept on;
}

CF is under attack mode

phenomlab

@DownPW I still have access to your Cloudflare tenant so will have a look shortly.

EDIT: I am in now - personally, I would also enable this (and configure it)

DownPW

@phenomlab I have already activate it and add a waf rules for russian country

With this bots settings :

and this settings for ddos protection :

phenomlab

@DownPW said in NODEBB: Nginx error performance & High CPU:

I have already activate it

Are you sure? When I checked your tenant it wasn’t active - it’s from where I took the screenshot

DownPW

@phenomlab

yep I activate it after

DownPW

For your information @phenomlab ,

• I have ban via iptables suspicious ip address find on /etc/nginx/accesss.log and virtualhost access.log like this : iptables -I INPUT -s IPADDRESS -j DROP
• Activate bot option on CF
• Create contry rules (Russie and China) on CF WAF
• I left under attack mode option activated on CF
• I have just change nginx.conf like this for test (If you have best value, I take it ! ) :

worker_rlimit_nofile 70000; 

events {

	worker_connections 65535;
	multi_accept on; 
}

http {

	##
	# Basic Settings
	##

	limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; 
	limit_req zone=flood burst=100 nodelay; 
	limit_conn_zone $binary_remote_addr zone=ddos:10m; 
	limit_conn ddos 100;

100r/s iit’s already a lot !!

and for vhost file :

server {
	.....

        location / {
				
				limit_req zone=flood; #Test 
				limit_conn ddos 100; #Test 
}

–> If you have other ideas, I’m interested
–> If you have better values ​​to use in what I modified, please let me know.

phenomlab

@DownPW my only preference would be to not set worker_connections so high

DownPW

@phenomlab

Ok so what value do you advise?

phenomlab

@DownPW you should base it on the output of ulimit - see below

https://linuxhint.com/what-are-worker-connections-nginx/#:~:text=The worker_connections are the maximum,to accommodate a higher value

With that high value you run the risk of overwhelming your server.

DownPW

@phenomlab

Thanks mark

My ulimit is 1024, so I will set it to 1024

phenomlab

@DownPW And the worker_processes value ? I expect this to be between 1 and 4 ?

DownPW

@phenomlab

worker_processes auto;

phenomlab

@DownPW ok. You should refer to that some article I previously provided. You can probably set this to a static value.

DownPW

@phenomlab

Ok I will see it for better worker_processes value

I add a rate limite request and limit_conn_zone on http block and vhost block :

– nginx.conf:

http {

	#Requete maximun par ip 
	limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; 
	#Connexions maximum par ip 
	limit_conn_zone $binary_remote_addr zone=ddos:1m;

-- vhost.conf :
        location / {
				
				limit_req zone=flood burst=100 nodelay; 
				limit_conn ddos 10;

–> I have test other value for rate and burst but they cause problem access to the forum. If you have better, I take it

I add today a proxy_read_timeout on vhost.conf (60 by default)

proxy_read_timeout 180;

I have deactivate underattack mode on CF and change for high Level

I have add other rules on CF waf :

phenomlab

@DownPW what settings do you have in advanced (in settings) for rate limit etc?

DownPW

@phenomlab said in NODEBB: Nginx error performance & High CPU:

@DownPW what settings do you have in advanced (in settings) for rate limit etc?

In cloudflare ?

DownPW

@phenomlab

I wanted to test awstats on virtualmin with root account and it hasn’t updated since August 2022.

I wanted to regenerate the files but I have a problem of rights.

What do you think ? and how t ore-generate a rapport correctly

I would like to use it to better manage the @ips that connect to the server

phenomlab

@DownPW no, sorry - in NodeBB ACP