Server hardening without "If" conditions

Hi. I notice that nginx with just the location rules and usual
directives results in mind-blowing performance. Apache Bench test shows
“115,000 requests per second” can be handled.

However, when I add a simple rule:

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
  return 444;
}

Which I think is important from a point of view of getting rid of so
much junk that hits any modern server, the requests per second fall to
“1,200” !!!

Is there any way around this? I would, if possible, prefer that my main
web server be able to handle such basic stuff.

Welcome any thoughts. Thanks!

Posted at Nginx Forum:

On Wed, Jun 01, 2011 at 08:47:48AM -0400, pk899 wrote:

Which I think is important from a point of view of getting rid of so
much junk that hits any modern server, the requests per second fall to
“1,200” !!!

Is there any way around this? I would, if possible, prefer that my main
web server be able to handle such basic stuff.

Welcome any thoughts. Thanks!

Posted at Nginx Forum:
Server hardening without "If" conditions

Well, the test you added includes the regular expression calculations as
well.
Can nginx use three simpler exact string matches instead? It may be
faster.

Cheers,
Ken

ktm2 Wrote:

if ($request_method !~ ^(GET|HEAD|POST)$ ) {

possible, prefer that my main
expression calculations as well.
Can nginx use three simpler exact string matches
instead? It may be faster.

Cheers,
Ken

Thanks Ken. How would you write this though?

if ($request_method != "GET"  and $request_method != "POST" and

$request_method != “HEAD”) {
return 444;
}

This is not correct syntax?

Posted at Nginx Forum:

On Wed, Jun 1, 2011 at 7:47 PM, pk899 [email protected] wrote:

Which I think is important from a point of view of getting rid of so
much junk that hits any modern server, the requests per second fall to
“1,200” !!!

I’m interested in what way this is important. Especially since nginx
will just return error 400 on bad requests.

On Wed, Jun 01, 2011 at 08:47:48AM -0400, pk899 wrote:

Which I think is important from a point of view of getting rid of so
much junk that hits any modern server, the requests per second fall to
“1,200” !!!

Is there any way around this? I would, if possible, prefer that my main
web server be able to handle such basic stuff.

It’s strange result. The “if” and regex slow down processing,
but not by 3 orders of magnitude.


Igor S.

On Wed, Jun 01, 2011 at 09:02:23AM -0400, pk899 wrote:

However, when I add a simple rule:

Thanks Ken. How would you write this though?

if ($request_method != "GET"  and $request_method != "POST" and

$request_method != “HEAD”) {
return 444;
}

This is not correct syntax?

Posted at Nginx Forum:
Re: Server hardening without "If" conditions

I am just learning about nginx so I am not familiar with the syntax yet.
But
your query would still require checking three separate conditions before
proceeding.
Could check three separate times and proceed after each one:

if ($request_method == “GET”) {
go…
}

if ($request_method == “POST”) {
go…
}

return 444;

And order them most likely to least likely.

Cheers,
Ken

On 1 June 2011 15:13, Igor S. [email protected] wrote:

Which I think is important from a point of view of getting rid of so
much junk that hits any modern server, the requests per second fall to
“1,200” !!!

How scientific is that test? Is 115,000 requests per second an
expected baseline performance? Did anything else change between tests?

And as someone else suggested, this is not really something you should
have to do in nginx in any case. It’s like closing ports you don’t
use. If your system is secure there’s no need. If your system isn’t
secure it won’t help.

Thomas