[INSTALLATION] nginx: [emerg] zero size shared memory zone "flood"

[mrEckendonk]

Describe the problem you are experiencing

Finally, time to install, but every time use different method. Now I almost have a manual for the Stack that I use and don't want to restore the server to its original state to get this manual correct and working for further use. The bug and trail to get its work is too much work, just need a good manual for Centmin

Copy of nginx.conf

user              nginx nginx;
worker_processes 2;
worker_priority -10;

worker_rlimit_nofile 520000;
timer_resolution 100ms;

pcre_jit on;
include /usr/local/nginx/conf/dynamic-modules.conf;

pid         logs/nginx.pid;

events {
    worker_connections  100000;
    accept_mutex off;
    accept_mutex_delay 200ms;
    use epoll;
    #multi_accept on;
}

http { 
limit_req_zone $binary_remote_addr zone=xwprpc:10m rate=30r/s;
 
 include /usr/local/nginx/conf/brotli_inc.conf;
 map_hash_bucket_size 128;
 map_hash_max_size 4096;
 server_names_hash_bucket_size 128;
 server_names_hash_max_size 4096;
 variables_hash_max_size 2048;

 resolver 127.0.0.1 valid=10m;
 resolver_timeout 10s;

limit_req_zone $binary_remote_addr zone=xwplogin:16m rate=40r/m;
#limit_conn_zone $binary_remote_addr zone=xwpconlimit:16m;

# sets Centmin Mod headers via headers more nginx module
# https://github.com/openresty/headers-more-nginx-module
# don't remove the first 2 lines as centmin mod checks to see if they're 
# missing and re-adds them anyway. Just uncomment the 3rd & 4th lines
# which is used to override the Server header to what you want = nginx
# and remove the X-Powered-By header + restart nginx service
# do not disable headers more nginx module itself as it's required for
# other centmin mod features like redis nginx level caching & letsencrypt
# integration in vhosts created by addons/acmetool.sh
more_set_headers "Server: nginx centminmod";
more_set_headers "X-Powered-By: centminmod";
#more_set_headers "Server: nginx";
#more_clear_headers "X-Powered-By";

# uncomment cloudflare.conf include if using cloudflare for
# server and/or vhost site + setup cron job for command
# /usr/local/src/centminmod/tools/csfcf.sh auto
# run the auto command once to populate cloudflare ips
#include /usr/local/nginx/conf/cloudflare.conf;
# uncomment incapsula.conf include if using incapsula for
# server and/or vhost site + setup cron job for command
# /usr/local/src/centminmod/tools/csfincapsula.sh auto
# run the auto command once to popular incapsula ips
#include /usr/local/nginx/conf/incapsula.conf;
include /usr/local/nginx/conf/maintenance.conf;
#include /usr/local/nginx/conf/vts_http.conf;
include /usr/local/nginx/conf/geoip.conf;
include /usr/local/nginx/conf/webp.conf;
include /usr/local/nginx/conf/ssl_include.conf;
#include /usr/local/nginx/conf/pagespeedadmin.conf;
include /usr/local/nginx/conf/fastcgi_param_https_map.conf;
include /usr/local/nginx/conf/redisupstream.conf;
include /usr/local/nginx/conf/wpcacheenabler_map.conf;
include /usr/local/nginx/conf/default_phpupstream.conf;

log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                '"$status" $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                ' "$connection" "$connection_requests" "$request_time"';

log_format  ddos-proxy '$remote_addr for $http_x_real_ip - $remote_user [$time_local] $request '
                '"$status" $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                ' "$connection" "$connection_requests" "$request_time"';

log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status' ;

# only uncomment include line to enable it you have enabled ngx_brotli module
# which is disabled by default https://community.centminmod.com/threads/10688/
#include /usr/local/nginx/conf/log_format_brotli.conf;

access_log  off;
error_log   logs/error.log warn;

    index  index.php index.html index.htm;
    include       mime.types;
    default_type  application/octet-stream;
    charset utf-8;

sendfile off;
aio on;
sendfile_max_chunk 512k;
tcp_nopush  on;
 
    ##
    # Nginx Bad Bot Blocker Includes
    # REPO: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
    ##
        include /usr/local/nginx/conf/ultimate-badbot-blocker/botblocker-nginx-settings.conf; 
        include /usr/local/nginx/conf/ultimate-badbot-blocker/globalblacklist.conf;
 
tcp_nodelay on;
server_tokens off;
server_name_in_redirect off;

keepalive_timeout  10s;
keepalive_requests 5000;
lingering_time 20s;
lingering_timeout 5s;
keepalive_disable msie6;

gzip on;
gzip_vary   on;
gzip_disable msie6;
gzip_static on;
gzip_min_length   1400;
gzip_buffers      1024 8k;
gzip_http_version 1.1;
gzip_comp_level 5;
gzip_proxied    any;
gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;

client_body_buffer_size 256k;
client_body_in_file_only off;
client_body_timeout 10s;
client_header_buffer_size 64k;
## how long a connection has to complete sending 
## it's headers for request to be processed
client_header_timeout  10s;
client_max_body_size 1024m; 
connection_pool_size  512;
directio  4m;
directio_alignment 4096;
ignore_invalid_headers on;       
large_client_header_buffers 8 64k;
output_buffers   1 512k;
postpone_output  1460;
proxy_temp_path  /tmp/nginx_proxy/;
request_pool_size  32k;
reset_timedout_connection on;
send_timeout     60s;
types_hash_max_size 2048;

# for nginx proxy backends to prevent redirects to backend port 
# port_in_redirect off;

open_file_cache max=50000 inactive=60s;
open_file_cache_valid 120s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
open_log_file_cache max=10000 inactive=30s min_uses=2;

## limit number of concurrency connections per ip to 16
## add to your server {} section the next line
## limit_conn limit_per_ip 16;
## uncomment below line allows 500K sessions
# limit_conn_log_level error;
#######################################
# use limit_zone for Nginx <v1.1.7 and lower
# limit_zone $binary_remote_addr zone=limit_per_ip:16m;
#######################################
# use limit_conn_zone for Nginx >v1.1.8 and higher
# limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
#######################################

 include /usr/local/nginx/conf/conf.d/*.con

host file is ok!

## Server (please complete the following information):
 
 - Operating System: 

 - [X] CentOS
 
- Specify Exact Version of OS: 
7.6 

uname -a
Linux server24. 5.2.9-1.el7.elrepo.x86_64 #1 SMP Fri Aug 16 08:17:55 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux

 
 - Nginx Version [post output of sudo nginx -v]

nginx -V
nginx version: nginx/1.17.3 (210819-015517-centos7-kvm)
built by gcc 8.3.1 20190311 (Red Hat 8.3.1-3) (GCC)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --with-ld-opt='-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -lpcre -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib -flto=2 -fuse-ld=gold' --with-cc-opt='-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto=2 -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations -gsplit-dwarf' --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=210819-015517-centos7-kvm --with-compat --with-http_stub_status_module --with-http_secure_link_module --with-libatomic --with-http_gzip_static_module --with-file-aio --add-dynamic-module=../ngx_brotli --add-dynamic-module=../ngx_http_geoip2_module --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-dynamic-module=../lua-nginx-module-0.10.15 --add-module=../stream-lua-nginx-module-0.0.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-http_v2_hpack_enc --with-openssl=../openssl-1.1.1c --with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3 -fuse-ld=gold' --add-dynamic-module=../ModSecurity-nginx

 - Other Environments [include Version information]
 
 - [X] Other
 - Specify Other / Specific Version Information Here: 
Centmin beta09
 

nothing related

[mrEckendonk]

Guess I resolved it.

Add at line #24

#23  limit_req_zone $binary_remote_addr zone=xwprpc:10m rate=30r/s;
#24  limit_req_zone $binary_remote_addr zone=flood:10m rate=30r/s;   

All test give

curl: (56) TCP connection reset by peer

so can enable Cloudflare again,

Only have doubts about the time and rate.

Will continue with implantation of the logging for the Fake Google bot and make a cron to send you the results.

Problem is I guess the new kernel 5.2. Works with nginx 1.17.3, so better change README.md to works with nginx 1.17.x... Works with every version. Helps to avoid changing REAME.md many times as until now every version of nginx worked.

[mrEckendonk]

As you can see have this inside nginx.conf

sendfile off;
aio on;

[mitchellkrogza]

Hi @Eckybrazzz sorry was AFK, glad you got sorted.
The recommended settings for that zone should be

limit_req_zone $binary_remote_addr zone=flood:50m rate=90r/s;

but it's a matter of personal preference and determining what breaks your site and where. A rate that is too low for Wordpress sites can cause problems.

I've not yet used aio but shouldn't it be

sendfile on;
aio on;

[mitchellkrogza]

Problem is I guess the new kernel 5.2. Works with nginx 1.17.3, so better change README.md to works with nginx 1.17.x... Works with every version. Helps to avoid changing REAME.md many times as until now every version of nginx worked.

The README updates automatically during the build test. The build tests always use the very latest Nginx Mainstream so the moment a new version is out it is used in the next build test and the README updates accordingly.

[mrEckendonk]

Indeed, should be on, recompiled nginx but normally the Centmin Stack should change it automatic,
Double checked it, so changed it manual

sendfile on;
aio on;