Nginx is one of the best popular webservers today. Its popularity is due to the fact that it is very fast and easy to set up. Other side of this popularity - nginx is often being a target of malicious attacks. So, if your nginx is not limited by available resources, your server may totally "fall" when nginx spent all system resources. That's why you should control and limit resources Nginx consumed.
All limits are sets in nginx configuration file. I will describe it on Ubuntu 20.04 as example. All changes will be made in /etc/nginx/nginx.conf file. Each directive should end with a semicolon. I will describe the most important parameters further.
Global settings
These settings will affect on whole server. Parameters description is:
- worker_connections - this option defines how many simultaneous connections are possible for one worker (special "unit" which communicate between nginx and operation system core). Workers count it depends of how much CPU cores and RAM available on your server;
- multi_accept - this directives allows workers to handle a few processes simultaneously. It will create processes queue, tasks will be handled one-by-one;
- mutex_accept_delay - this parameter defines a delay between restart of handled tasks;
- use - a method of processing. The best set for Linux servers is epoll;
- limit_conn - this directive will limit connections. It may be set in various places, all restrictions will be working. On the screenshot below I set total connections as 5 per one IP and 2 for /download folder:
Disk operations
These settings define how to nginx operate with disk drive:
- sendfile on - this option allows to webserver to "exchange" small files data in kernel space, without sending it to the app space. It makes nginx data handling much faster;
- aio on - this directive provide multi-thread read/write disk operations.
Compression and caching
You may cache some data to do nginx faster. Compression will reduce traffic flow:
- gzip on - this option turn compression on;
- gzip_comp_level - compression level. Higher count is much compression;
- gzip_types - define of types of files to be compressed. E.g. text is good to compress, but pictures is not.
- open_file_cache - allow file caching;
- open_file_cache_valid - time to store cache;
- open_file_cache_errors - this option allows caching errors like "access denied". It may be helpful to prevent massive simultaneous connects attack;
Security settings
You may restrict access for scrapers, bots, downloaders etc. Just add construct like below to restricted location:
return 403;
}
Also, you can allow access to some website areas via defined IPs only. It could be useful to restrict access to admin area e.g.:
## allow access from your IP
allow xxx.xxx.xxx.xxx/32;
## drop all other connections
deny all;
}
Conclusion
Nginx is a powerful and efficient web server widely used for its speed and flexibility. However, its popularity makes it a frequent target for various attacks and resource abuse attempts. Properly configuring resource limits and access controls in your Nginx setup is essential to maintain server stability, prevent overloads, and protect sensitive areas from unauthorized access. By tuning global connection limits, optimizing disk operations, enabling compression and caching, and implementing security restrictions like IP-based access control and user-agent filtering, you can significantly improve both performance and security of your server. Always remember to regularly review and adjust these settings based on your server’s workload and traffic patterns to ensure optimal protection and efficiency.
You may be also interested in
FAQ
- Q1: Why should I limit the number of connections per IP in Nginx?
Limiting connections per IP helps prevent abuse such as DoS (Denial of Service) attacks or excessive resource consumption by a single user, ensuring fair resource distribution among all visitors and maintaining server stability. - Q2: What is the benefit of enabling sendfile and aio in Nginx?
sendfile improves performance by allowing the server to transfer files directly between the disk and the network without copying data between user and kernel space. aio enables asynchronous disk operations, increasing I/O efficiency especially for high-traffic sites. - Q3: How does gzip compression help Nginx security and performance?
Gzip reduces the size of responses sent to clients, lowering bandwidth usage and speeding up content delivery. While it is mainly a performance feature, efficient compression indirectly enhances security by minimizing the attack surface related to excessive data transmission. - Q4: Can I block unwanted bots and scrapers using Nginx configuration?
Yes, you can restrict access based on user-agent strings with simple conditional rules in your Nginx configuration, returning HTTP 403 Forbidden for known malicious bots or scrapers. - Q5: Is it enough to rely only on Nginx limits for server security?
No, Nginx limits and access controls are an important part of security but should be complemented by other measures like firewalls, regular software updates, secure authentication, and monitoring for a robust defense.