Public
/
nginx-tuning
mirror of https://github.com/denji/nginx-tuning.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nofile limit & SELinux

This commit is contained in:
Denis Denisov 2017-12-30 21:06:53 +02:00 committed by GitHub
parent 49af81655a
commit 3e1185e637
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 49 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
README.md
View File

@ -109,7 +109,7 @@ Just For Security Reason
server_tokens off; server_tokens off;
``` ```
Nginx Simple DDoS Defense NGINX Simple DDoS Defense
------------------------- -------------------------
This is far away from secure DDoS defense but can slow down some small DDoS. Those configs are also in test environment and you should do your values. This is far away from secure DDoS defense but can slow down some small DDoS. Those configs are also in test environment and you should do your values.
@ -158,6 +158,52 @@ nginx -s reload
You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours. You can test this configuration with `tsung` and when you are satisfied with result you can hit `Ctrl+C` because it can run for hours.
Increase The Maximum Number Of Open Files (`nofile` limit) Linux
-----------------------------------------------
Two ways to raise the nofile/max open files/file descriptors/file handles limit for NGINX in RHEL/CentOS 7+.
With NGINX running, checking current limit on master process
$ cat /proc/$(cat /var/run/nginx.pid)/limits | grep open.files
Max open files 1024 4096 files
#### And worker processes
ps --ppid $(cat /var/run/nginx.pid) -o %p|sed '1d'|xargs -I{} cat /proc/{}/limits|grep open.files
Max open files 1024 4096 files
Max open files 1024 4096 files
Trying with the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/nginx.conf` fails as SELinux policy doesn't allow `setrlimit`. This is shown in `/var/log/nginx/error.log`
015/07/24 12:46:40 [alert] 12066#0: setrlimit(RLIMIT_NOFILE, 2342) failed (13: Permission denied)
#### And in /var/log/audit/audit.log
type=AVC msg=audit(1437731200.211:366): avc: denied { setrlimit } for pid=12066 comm="nginx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
#### `nolimit` without Systemd
$ nano /etc/security/limits.d/nginx.conf
nginx soft nofile 65536
nginx hard nofile 65536
$ sysctl -p
#### `nolimit` with Systemd
$ mkdir -p /etc/systemd/system/nginx.service.d
$ nano /etc/security/limits.d/nginx.conf
[Service]
LimitNOFILE=30000
$ systemctl daemon-reload
$ systemctl restart nginx.service
#### SELinux boolean `httpd_setrlimit` to true(1)
This will set fd limits for the worker processes. Leave the `worker_rlimit_nofile` directive in `{,/usr/local}/etc/nginx/nginx.conf` and run the following as root
setsebool -P httpd_setrlimit 1
DoS [HTTP/1.1 and above: Range Requests](https://tools.ietf.org/html/rfc7233#section-6.1) DoS [HTTP/1.1 and above: Range Requests](https://tools.ietf.org/html/rfc7233#section-6.1)
---------------------------------------- ----------------------------------------
@ -189,6 +235,8 @@ Reference links
* https://www.keycdn.com/support/tcp-fast-open/ * https://www.keycdn.com/support/tcp-fast-open/
* https://www.masv.io/enabling-tcp-fast-open-nginx-centos-7/ * https://www.masv.io/enabling-tcp-fast-open-nginx-centos-7/
* ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~ * ~~https://www.52os.net/articles/nginx-anti-ddos-setting-2.html~~
* https://ospi.fi/blog/centos-7-raise-nofile-limit-for-nginx.html
* https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
* https://github.com/h5bp/server-configs-nginx * https://github.com/h5bp/server-configs-nginx
* https://github.com/nginx-boilerplate/nginx-boilerplate * https://github.com/nginx-boilerplate/nginx-boilerplate
* https://www.nginx.com/blog/thread-pools-boost-performance-9x/ * https://www.nginx.com/blog/thread-pools-boost-performance-9x/