Lexa Software: Nginx-ru@sysoev.ru archive

13.03.08, Anton Bogdanovitch <poison.box@xxxxxxxxx> написал(а):

На сервере установлен nginx/0.5.26 + php-cgi 5.2.5 через fastcgi.
Нагрузка ~ 4000 уникальных посетителей в час.
В /var/log/messages каждые 10-20 минут появляется сообщение
kernel: possible SYN flooding on port 80. Sending cookies.

netstat -n -p|grep SYN_REC | wc -l
показывает от 30 до 250 соединений SYN_REC, причем если соединений
больше 100, то 80 из них - это один ip, потом он исчезает, появляется
другой ip, и так далее.

Раз в сутки сервер стабильно виснет, не оставляя ничего в логах, кроме
possible SYN flooding on port 80. Sending cookies. Так, что админам
приходится ребутить руками. В рабочее время нагрузка на нем почти ноль.

Может ли причиной быть кривая конфигурация/баг в nginx? (конфиг в аттаче)

Типичный случай:
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
122.50.182.117
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
75.57.133.196
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
72.234.1.154
60.50.160.90
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
24.99.246.104
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
70.245.13.128
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
60.50.160.90
70.245.13.128

user  nginx;
worker_processes  4;

#error_log   /var/log/nginx/error.log;
error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;

events {
    worker_connections  2048;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                      '"$status" $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    server_names_hash_bucket_size 64;

    #gzip  on;

    server {
                listen       80;
                server_name  somedomain.com;

                #access_log     /var/www/somedomain.com/log/access main;
                access_log      /var/www/somedomain.com/log/access main;
                error_log       /var/www/somedomain.com/log/error notice;

                root   /var/www/somedomain.com/data;
                index  index.php;

                location ~ /\.ht {
                        deny  all;
                }

                location ~* ^.+\.(class|inc)$ {
                        deny  all;
                }

                location ~* ^\/(\d+)\/(\d+)\/(.+)$ {
                        rewrite ^\/(\d+)\/(\d+)\/(.+)$ /$3?$args last;
                        break;
                }

                location ~* ^\/(\d+)\/(\d+)\/?$ {
                        rewrite ^\/(\d+)\/(\d+)\/?$ /index.php?page=$1&aff=$2&$args last;
                        break;
                }

                location ~* ^.+\.php$ {

                        fastcgi_pass   unix:/tmp/php-fcgi.sock;
                        fastcgi_index  index.php;

                        include /etc/nginx/fastcgi.conf;
                }

                location / {
                        if (!-e $request_filename) {
                                rewrite  ^(.*)$  /index.php?request_uri=$1  last;
                                break;
                        }
                }
        }

}

Re: possible SYN flooding on port 80. Sending cookies.