current position:Home>How to configure nginx server to prevent flood attack

How to configure nginx server to prevent flood attack

2022-04-29 19:27:16Billion cloud speed

How to configure Nginx Server prevention Flood attack

This article introduces in detail “ How to configure Nginx The server prevent Flood attack ”, Detailed content , The steps are clear , The details are handled properly , Hope this article “ How to configure Nginx Server prevention Flood attack ” The article can help you solve your doubts , Let's follow Xiaobian's ideas and go deeper slowly , Let's learn new knowledge together .

test

I will simply tell you how to configure nginx The restriction request module and how it protects your website , Prevent you from being attacked and ddos Or something else based on http Denial of service attacks on .

In this test , I saved the sample page in blitz.io( Now it's free service ) Name it about.html, Used for testing limit_req Instructions .

First , I am here blitz Use the following instructions on , Used to initiate 1075 Concurrent requests that last for a minute , The response timeout is set to 2 minute , The region is California , At the same time, the removal status is set 200 All other states are abnormal , Even 503 Are considered unsuccessful .

-p 1-1075:60 --status 200 -t 2000 -r california http://kbeezie.com/about.html

 How to configure Nginx Server prevention Flood attack

  Not bad , Isn't it ? But if this is a php file . It is likely that some users will cause php Process 502/504 state , Keep the server crashing or unresponsive . Especially if you use something without any protection vps Or other cheap servers , The failure rate will be higher .( Original advertisement , Shield here )

Of course, you can use caching or other tools to improve server performance and responsiveness , For example, you use wordpress You must use wordpress caching plugin. da for those type of people we can use the limit request module.

stay nginx In, we create an area http { }, I call him blitz Set per second 5 Requests , The maximum data capacity is 10mb. I use $binary_remote_addr As session Variable Let yourself compare $remote_addr Normal visitors can access more than 10mb Space .

Copy code   The code is as follows :

limit_req_zone $binary_remote_addr zone=blitz:10m rate=5r/s;

However, these rules are defined in the server :

Copy code   The code is as follows :

location = /about.html {
 limit_req zone=blitz nodelay;
}


And then reload nginx To configure , Take a look at the effect :

 How to configure Nginx Server prevention Flood attack

  You'll find that now it's bigger than just 285 People can access the server , The number of requests per second is 4.75 , No more than we set 5 Times per second , Check the log and you will find that all the requests that are not accessed are http 503, All the visits are http 200.

Using this setting is very helpful for people who want to restrict regional access , It can also be applied to all php On the request .

php Application request limit

If you want to limit all php Application restrictions , You can do that :

Copy code   The code is as follows :

location ~ \.php {
 limit_req   zone=flood;
 include php_params.conf;
 fastcgi_pass unix:/tmp/php5-fpm.sock;
}

Something like... Can speed it up or slow it down , In response to sudden or no delay demand . Configuration item details , Slamming here : httplimitreqmodule.
notes :

You may have noticed the chart above 1075 User requests , Here's a misleading , Because all access requests come from the same... In California ip(50.18.0.223).


It's hard for me to realize a real high traffic network or ddos ( Distributed denial of service attacks ). That's why the number of successful users we visit is the same as ip Not very much . Server load will also affect the number of visits or regions of test users . The maximum number of concurrent users you can access with the free version is 50 individual . Of course, you can spend every day $49 Meirang 1000 Users visit your website .

If you have enough memory and bandwidth , Use a single ip Address testing is easy . With this tool, we can realize : High concurrency , ab, openload wait . Just in the terminal interface , No, ui nothing more .

Of course you have to test yourself , Remember to use status flag, because blitz Will be in 5 Respond to the access request in about seconds .

A better alternative

There will be no further details here , If you seriously want to stop attacks on your server ddos or multi-service attack, There are other great software tools like iptables (linux), pf (packet filter for bsd) , Or if your server provides hardware , You can use your hardware firewall . The above restriction module will only block the passage of http Request a flood attack , It doesn't stop ping Package flood attacks or other vulnerabilities , In these cases, you can turn off unnecessary services and ports , To prevent others from breaking through .

for instance , My server's public port to the external network is only http/https and ssh. image mysql The binding local connection of these services . You can also set some general services to ports that are not commonly used , So you won't be sniffed (iptables/pf Will help in this situation ).

Read here , This article “ How to configure Nginx Server prevention Flood attack ” The article has been introduced , If you want to master the knowledge points of this article, you need to practice and use it yourself to understand , If you want to know more about this article , Welcome to the Yisu cloud industry information channel .

copyright notice
author[Billion cloud speed],Please bring the original link to reprint, thank you.
https://en.qdmana.com/2022/119/202204291744570715.html

Random recommended