We've had to start hardening our services against increasingly frequent Denial of Service (DoS) attacks. OVH provides DDoS mitigation, but this a smaller scale problem.
Unfortunately, nginx lacks some important configuration options and some others are specific to NGINX Plus.
Conversation
Setting client_body_timeout to 15s won't time out a client sending 1 byte every 10s. There's no timeout for receiving the whole body. Only permitting tiny request bodies helps but isn't always an option. There's no way to timeout based on a minimum rate or even the total time.
Replying to
blog.cloudflare.com/the-curious-ca is a post about the interaction between send timeouts and buffering. It's not quite the same thing and buffer bloat mitigations may partially address it. Still, it shows how this approach to timeouts based on time between system calls doesn't work well.
1
2
The configuration option to queue connections as a reverse proxy instead of dropping them (nginx.org/en/docs/http/n) is only available for NGINX Plus. This seems a bit ridiculous. I mistakenly thought the proprietary variant was for enterprise features, not basic functionality.
1
1