All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CSF/LFD: CT_LIMIT and TCP Time_Wait connections
Dear all,
I have a question and hopefully you are able to enlighten me a bit...
Some visitors of my website have 200+ open TCP connections to the server, as I can see by typing
/bin/netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
in console. I had the impression that the average server load increases significantly when 5-10 visitors are using that many connections at the same time, so I decided to block everyone with more than 150 open connections via ConfigServerFirewall using the CT_Limit directive.
As you know, CSF/LFD sends out eMails for every event that is triggered and so I get a message whenever a visitor gets temporarily banned for hitting the limt. What I see in these eMails is that most people had TCP connections marked as "TIME_WAIT". The question now is: Is it even possible that TCP connections in "TIME_WAIT" state affect the server load and performance in a negative way or am I "punishing" those visitors unnecessarily?
One should know that we are talking about a very busy adult gallery and obviously, people tend to open many browser tabs with images at the same time which explains the general high volume in open connections. The server has a minimum of 3,000-5,000 connections per second to it all the time.
Thank you very much in advance for your assessment and hints in advance!
Cheers,
-A
Comments
No idea, anyone?
It could be that your web server isn't closing off the connections, or your keep alive value is too high.
Supposing you're using nginx, and if you aren't, you probably should, have a look at this.
http://wiki.nginx.org/HttpCoreModule#keepalive_timeout
You shouldn't be blocking users with iptables, you should be adjusting your Apache configuration. But what you should really be doing, is reading the documentation for Apache.
http://wiki.apache.org/HttpComponents/FrequentlyAskedConnectionManagementQuestions
If your using apache then the best thing to do would be to decrease the max amount of current client proccesses, And also the Max child proccesses under that.(They are proberly named differently)
Modifing the Start, Maximum servers is a good way to decrease overall Server Load, Timeout should be set to a fair amount but also at a healthy number.
Additionally, I would stop CSF and see what impact the server has.
In this case I dont even see why CSF is neccessary, This can all be done via IPTables Directly or through a htaccess configuration file.
Perhaps instead of using CSF to place a temporary set time limit ban on the IP, Redirect it to a default page on a lowend VPS and that can proberly be done in htaccess, Just link it to a external file and it reads the temporary IPs that need to be redirected.
Even hosting your SQL Externally and / or images, Then hosting the static files on two seperate servers and having roundrobin redirect them or some other sort of load balanced setup.
Nginx should be used for any heavy sites, Apache just does not cut it.
Your response has made everyone in this thread stupider. The things he's seeing is normal, because that's what TIME_WAIT is supposed to do... and Apache can easily handle even the heaviest loads.
Sure, Apache can handle it, But nginx will handle connections more effeciently.
The things I have suggested are Ideas for him, His actual question was is it neccessary to Punish the visitors for making so many requests, If apache is holding the request for 4 - 5 Minutes to prevent a loss of data for the requests then Sure this is going to conflict with CSF and without a Doubt get the IP Temporary Blocked.
It's not Apache that holds the connection, it's TCP itself and Nginx would see the same number of TIME_WAIT connections with that kind of traffic. And if you configure Apache correctly, it can handle connections just as efficiently as Nginx, if not better... despite what Nginx fanboys say.
Are you Apache fanboy?
^^
Nope. I'll use any server if it fits the job. I have Apache, Lighttpd, and Nginx all running for different things right now. I just hate the Nginx myth about it being so much better. It's only better with the default configurations. Disabling Apache modules and making a few changes will put it right on par with Nginx. Move away from mod_php and I can beat Nginx benchmarks almost every time. My server preference list goes: Lighttpd, Apache, and then Nginx.