Nginx Rate Limiting

Discussion in 'HOWTO-Related Questions' started by intrinsic, Dec 26, 2022.

  1. intrinsic

    intrinsic New Member

    Happy holidays, looks like the bots are at it again during the season.
    There have been thousands of bot requests on a particular server we are maintaining, hammering mysqld and php-fpm8.0

    I have found the tutorial "Rate Limiting with Nginx" by Falko, and have followed the methods in the tutorial.
    However, it would seem that implementation of it either does not work or results in a 404 error for the sub pages.

    Here are the steps replicated:
    nano /etc/nginx/nginx.conf
    http {
    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

    Then in ISPConfig panel, under the domain being targeted, added the directive:
    # BEGIN Rate Limiting with Nginx
    location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php8.0-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    limit_req zone=one burst=5;
    # END Rate Limiting with Nginx

    The index.php works with the website, but subsequent sub-pages and shows not found errors. Website is using wordpress and nginx directives include wordpress specific directives for subpages.

    Is there something that is missing here? Would like to resolve this quickly as it is causing high CPU usage and ruining the holiday season :mad:
  2. Alex Mamatuik

    Alex Mamatuik Member

    I am not familiar with Nginx at all, but what i have found:

    Their approach:
    server {
        location /login/ {
            limit_req zone=mylimit;
            proxy_pass http://my_upstream;
    They recommend to define a path explicitly.

    Falko's approach - to handle all .php - related objects.

    And the next difference: PHP-handler.
    Mr. Falko offers to use sockets with fastcgi
    fastcgi_pass unix:/var/run/php5-fpm.sock;
    proxy_pass http://my_upstream;
    is proposed.

    Your case: php-fpm of the version 8, but also with sockets (not like from the nginx tutorial).

    Recently i was compiling php 8.0.##, php 8.1.## and php 8.2.##.
    And FPM-handler was working only for php-8.0.27.

    The 2 other php-versions (8.1, 8.2) were stable for FastCGI.

    Please, also check, how you compiled your php-8.0.
    ./configure --prefix=/opt/php-8.0.27 --with-libdir=lib64 --disable-rpath \

    --with-openssl --with-kerberos --with-zlib --enable-bcmath --with-bz2 --enable-calendar \

    --with-zip --enable-gd --with-webp --with-jpeg --with-enchant --with-freetype \

    --with-curl --enable-exif --enable-ftp --with-zlib-dir --with-gettext \

    --with-mhash --with-imap --with-imap-ssl \

    --enable-intl --enable-mbstring --with-mysqli=/usr/bin/mysql_config --enable-opcache --enable-pcntl --with-pdo-mysql --with-pdo-pgsql --with-pgsql --enable-soap --with-tidy --enable-sockets --enable-sysvsem --enable-sysvshm --with-xsl --enable-mbregex --with-fpm-user=apache --with-fpm-group=apache --enable-fpm --enable-cgi PKG_CONFIG_PATH=/usr/local/src/libzip-1.7.3/build

    How do i work with the Rate Limiting?
    There is a plenty of tutorials, found on "Redis as a Rate Limiter with PHP" (requires redis module to be installed).
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't think we should be compiling php anymore as Ondrej Sury repo should work just fine.
  4. Alex Mamatuik

    Alex Mamatuik Member

    ... but in case of multiple php versions how to deal with repositories' paths?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    I agree that compiling of PHP is not a good choice anymore today, at least for users of Ubuntu and Debian. All PHP versions are in the same repository and they get installed dins separate directories automatically. See current Multi PHP version install guide for ISPConfig:
    ahrasis and Alex Mamatuik like this.

Share This Page