Client Throttling & CDN

[nullx8]

we recently use a new CDN service (Cloudflare)
which does a great job for the money in speding up things regarding scripts, css and static items.

however .. all data is beeing fetched by a single IP.
with the CDN Inactive the server serves about 80 pages per sec. with an average of 10-40 http_queue (Req in Processing)

but with the CDN active the http_queue goes immideatly up to 200-700.

the server has a global security rule like this

Configuration->Server->Security->Access Control->Allowed List
173.245.48.0/20T

Configuration->Server->Security->Access Control->Allowed List
-not set-

Per Client Throttling setings are all at "0" values
the Virtual hosts have no config set

but seems not to respect this setting ...
is there anything i need to activate to disable the Throttling for the CDN servers ?

 

[NiteWave]

maybe no problem for the setting.

however .. all data is beeing fetched by a single IP.
with the CDN Inactive the server serves about 80 pages per sec. with an average of 10-40 http_queue (Req in Processing)

but with the CDN active the http_queue goes immideatly up to 200-700.

this may be normal.

assume there are 20 CDN front servers, for a single static file for example common.css, echo CDN server need fetch common.css from original server. but just for 1st time. once the common.css already on CDN server, it'll serve common.css directly.

 

[nullx8]

well i understand how a CDN works ..
the point is that if all traffic origins from a single IP and this does seem to slow dowm the process dramatically.

as stated in the first thread its about 10 times more threads in the queue,
i would not worry much about this, but on peak times .. the server runns out of reccources and database connections are beeing droped, leading to complete failure due to the pending http_requests.

the breakdown also happens if i turn the CDN off .. but leave the frontend-servers active ...
which simply makes the frontend servers to a proxy with no data stored and no cdn distribution happening.

the only difference is then that all traffic comes from the same IP.

also the pages/sec do not change much ... so there is no tripple traffic or such thing.

 

[NiteWave]

can you give a screenshot of lsws web admin -> Actions -> Real-Time Stats,
so I can better understand your issue

 

[mistwang]

Make sure you use the server level ACL to add the trusted subnet, vhost level wont work, I thought you did, but just a remainder.
Another thing to try is to try the single IP, change the subnet syntax to xxx.xxx.xxx.xxx/255.255.xxx.xxx .