@Madchatthew I’d always post for the reasons I stated above. It’s useful information and could save someone else the headache.
NODEBB: Nginx error performance & High CPU
-
For your information @phenomlab ,
- I have ban via iptables suspicious ip address find on /etc/nginx/accesss.log and virtualhost access.log like this :
iptables -I INPUT -s IPADDRESS -j DROP
- Activate bot option on CF
- Create contry rules (Russie and China) on CF WAF
- I left under attack mode option activated on CF
- I have just change nginx.conf like this for test (If you have best value, I take it ! ) :
worker_rlimit_nofile 70000; events { worker_connections 65535; multi_accept on; } http { ## # Basic Settings ## limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; limit_req zone=flood burst=100 nodelay; limit_conn_zone $binary_remote_addr zone=ddos:10m; limit_conn ddos 100;
100r/s iit’s already a lot !!
and for vhost file :
server { ..... location / { limit_req zone=flood; #Test limit_conn ddos 100; #Test }
–> If you have other ideas, I’m interested
–> If you have better values to use in what I modified, please let me know. - I have ban via iptables suspicious ip address find on /etc/nginx/accesss.log and virtualhost access.log like this :
-
@DownPW my only preference would be to not set
worker_connections
so high -
Ok so what value do you advise?
-
@DownPW you should base it on the output of
ulimit
- see belowWith that high value you run the risk of overwhelming your server.
-
-
@DownPW And the
worker_processes
value ? I expect this to be between 1 and 4 ? -
worker_processes auto;
-
@DownPW ok. You should refer to that some article I previously provided. You can probably set this to a static value.
-
Ok I will see it for better worker_processes value
I add a rate limite request and limit_conn_zone on http block and vhost block :
– nginx.conf:
http { #Requete maximun par ip limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s; #Connexions maximum par ip limit_conn_zone $binary_remote_addr zone=ddos:1m;
-- vhost.conf : location / { limit_req zone=flood burst=100 nodelay; limit_conn ddos 10;
–> I have test other value for rate and burst but they cause problem access to the forum. If you have better, I take it
I add today a proxy_read_timeout on vhost.conf (60 by default)
proxy_read_timeout 180;
I have deactivate underattack mode on CF and change for high Level
I have add other rules on CF waf :
-
@DownPW what settings do you have in advanced (in settings) for rate limit etc?
-
@phenomlab said in NODEBB: Nginx error performance & High CPU:
@DownPW what settings do you have in advanced (in settings) for rate limit etc?
In cloudflare ?
-
I wanted to test awstats on virtualmin with root account and it hasn’t updated since August 2022.
I wanted to regenerate the files but I have a problem of rights.
What do you think ? and how t ore-generate a rapport correctly
I would like to use it to better manage the @ips that connect to the server
-
@DownPW no, sorry - in NodeBB ACP
-
@DownPW from recollection,
awstats
is accessible via the web front end, so (for example) https://mydomain.com/awstatsHowever, as you are pushing everything into a reverse proxy you’ll need to add a custom route in the
nginx.conf
file you are using on the website so this can be rendered outside of NodeBB. -
@phenomlab said in NODEBB: Nginx error performance & High CPU:
@DownPW no, sorry - in NodeBB ACP
Here is the value
-
@DownPW what is the result of disabling it altogether? That will resolve the 503 rate limit error but could we leave the system exposed to bring overwhelmed.
-
@DownPW you should also review this
https://docs.nodebb.org/configuring/scaling/
In particular, the part concerning proxied assets.
-
@phenomlab said in NODEBB: Nginx error performance & High CPU:
@DownPW from recollection,
awstats
is accessible via the web front end, so (for example) https://mydomain.com/awstatsHowever, as you are pushing everything into a reverse proxy you’ll need to add a custom route in the
nginx.conf
file you are using on the website so this can be rendered outside of NodeBB.Thats why I have a permission error like the screen? Odd
Nope, Awstats is accessible like this via Virtualmin:
https://XXXX:8443/virtualmin-awstats/view.cgi?config=XXXXXX.XX
I have jsut an error of permission whe nI test to regenerate a Report because the script can’t access to log file
-
@phenomlab said in NODEBB: Nginx error performance & High CPU:
@DownPW what is the result of disabling it altogether? That will resolve the 503 rate limit error but could we leave the system exposed to bring overwhelmed.
Disabling What ? Traffic management? HSTS ?
-
@DownPW said in NODEBB: Nginx error performance & High CPU:
Thats why I have a permission error like the screen? Odd
No, not at all. That error is because
www-data
owns the files when it should be the account you are using to run the website itself under.
Did this solution help you?
Related Topics
-
configure ghost and wordpress combo
Moved Solved WordPress -
NodeBB socket with CloudFlare
Unsolved Performance -
-
-
-
NodeBB 1.19.3
Solved Performance -
-
Customising NodeBB
Locked Customisation