Shulou(Shulou.com)06/02 Report--

Preface

Nginx comes with modules that support limits on the number of concurrent requests and on the source of requests. Can be used to prevent DDOS attacks.

To read this article, you should know the configuration file structure and syntax of nginx.

1. Default configuration syntax

Nginx.conf as the main configuration file

Include / etc/nginx/conf.d/*.conf reads that this will also read the .conf of the directory.

1.1 Global and service level

The user setting uses the user worker_processes to increase the number of concurrent connections consistent with cpu. Eight cores set the error log of eight error_log nginx. Pid nginx service startup pid

1.2 event module for events

Worker_connections the maximum number of connections allowed to be processed by a process use defines the kernel model used

1.3 server

The path of root home page which page index home page access by default error_page 500 502 503 504 / 50x.html error page the first 500 is * * `http status code` * * systemctl restart nginx.service restart nginxsystemctl reload nginx.service does not shut down the service gently restart

2. HTTP

Curl-v http://www.baidu.com > / dev/null #-v also displays status codes and other information nginx-V # shows nginx version and configuration files

3. Journal

Log types: error.log and access.log

Error.log (record the error status of processing http requests and the error status of nginx's own service) access.log (access status of each http request)

Log_format: sets the recording format of the log and defines the style in which the log is recorded in error.log and access.log. The configuration of log_format can only be configured in the http module.

Access_log is configured in http.

4. Variable

Connection restrictions limit_conn_module

The frequency of limit_conn_module:TCP connection is limited. Multiple HTTP requests can be established for a single TCP connection.

Configuration syntax:

Limit_conn_module syntax scope states that limit_conn_zone identifies zone= space name: space size; http is used to declare a storage space limit_conn space name concurrency limit number; http, server, or location is used to limit the number of concurrency of a storage space; limit_conn_log_level log level; http, server, or location record the level limit_conn_status status code of the log when the maximum number of connections is reached The response status code returned by http, server or location when the limit is exceeded. Default is 503.

Limit_conn_zone declares a zone space to record the connection status in order to limit the number.

Zone is the space to store the state of the connection, stored in key-value pairs, usually with the client address $binary_remote_addr as the key to identify each connection.

When the zone space is exhausted, the server will return a 503 (Service Temporarily Unavailable) error for all subsequent requests.

Request to restrict limit_req_mudule

The frequency of limit_req_mudule:HTTP requests is limited. Multiple HTTP requests can be established with one TCP connection.

Configuration syntax:

Limit_req_mudule syntax scope states limit_req_zone key zone= space name: space size rate= requests per second; http is used to declare a storage space limit_req zone= name [number of burst= queues] [nodelay]; http, server or location are used to limit the number of concurrency of a storage space

The zone here is also a space for storing connections.

Burst and nodelay

Burst and nodelay set a buffer for concurrent requests and a strategy of whether or not to delay processing.

Assume that you have the following zone configuration.

Http {limit_req_zone $binan_remote_addr zone=req_zone:1m rate=10r/s;}

Situation 1:limit_req zone=req_zone

Send 10 requests in 1 second and respond normally. 13 requests are sent in 1 second, the first 10 requests respond normally, and the last 3 requests return 503 (Service Temporarily Unavailable).

Without brust and nodelay, rate=10r/s can only execute 10 requests per second, and 503 errors are returned directly.

Situation 2:limit_req zone=req_zone brust=5

Send 10 requests in 1 second and respond normally. Thirteen requests are sent in the first second, the first 10 requests respond normally, and the last 3 requests are put into brust to wait for a response. 20 requests are sent in the first second, the first 10 requests respond normally, the last five requests are put into the brust to wait for the response, the last five requests return 503 (Service Temporarily Unavailable), and the second second executes the five requests in the brust. 20 requests are sent in 1 second, the first 10 requests respond normally, the last 5 requests are put into brust to wait for response, the last 5 requests return 503 (Service Temporarily Unavailable), 6 requests are sent in 2 seconds, 5 requests in brust are executed, 5 requests are put into brust to wait for response, and the remaining 1 request returns 503 (Service Temporarily Unavailable).

In the case of adding brust=5 without nodelay, there is a buffer with a capacity of 5. Rate=10r/s can only execute 10 requests per second and put more requests into the buffer. If the buffer is full, it will directly return a 503 error. The buffer will take out the request in the next period of time to respond, and if there are still requests coming in, continue to put the buffer, and a 503 error will be returned.

Situation 3:limit_req zone=req_zone brust=5 nodelay

Send 10 requests in 1 second and respond normally. 13 requests were sent in 1 second and 13 requests responded normally. 20 requests are sent in 1 second, the first 15 requests respond normally, and the last 5 requests return 503 (Service Temporarily Unavailable). 20 requests were sent in the first second, the first 15 requests responded normally, the last 5 requests returned 503 (Service Temporarily Unavailable), and 6 requests were sent in the second second with normal responses.

In the case of adding brust=5 and nodelay, there is a buffer with a capacity of 5, and rate=10r/s can execute 15 requests per second. Most of them directly return 503 errors.

Access Control based on IP

Http_access_module: IP-based access control, through the agent can bypass restrictions, prevent the gentleman but not the villain.

Http_access_module syntax range states allow IP address | CIDR segment | unix: | all;http, server, location and limit_except allow access to deny IP address by IP address, CIDR format, unix socket or all sources | CIDR segment | unix: | all;http, server, location and limit_except prohibit access to IP address, CIDR format, unix socket or all sources

Allow and deny will find the first matching rule in order, from top to bottom, to determine whether access is allowed, so all is generally placed last.

Location / {deny 192.168.1.1; allow 192.168.1.0 Unip 24; allow 10.1.1.0 Unip 16; allow 2001 0db8 Groupe Groupe 32; deny all;}

Access control based on user password

Http_auth_basic_module: login based on file matching user password

Http_auth_basic_module syntax range description auth_basic Please enter your account password | off;http, server, location and limit_except display user login prompts (some browsers do not display prompts) auth_basic_user_file stores the file path of the account password; http, server, location and limit_except match the account password from the file

Password files can be generated through htpasswd, and htpasswd requires yum install-y httpd-tools to be installed.

#-c create a new file, and-b enter the password $htpasswd-bc / etc/nginx/conf.d/passwd user1 pw1Adding password for user user1 $htpasswd-b / etc/nginx/conf.d/passwd user2 pw2Adding password for user user2 $cat / etc/nginx/conf.d/passwd user1:$apr1 $7v/m0.IF$2kpM9NVVxbAv.jSUvUQr01user2:$apr1 $XmoO4Zzy$Df76U0Gzxbd7.5vXE0UsE0 directly in the parameters

references

Limit_conn_module

Limit_req_mudule

Http_access_module

Http_auth_basic_module

Summary

The above is the editor introduced to you based on Nginx access control, connection restrictions, I hope to help you, if you have any questions, please leave me a message, the editor will reply to you in time. Thank you very much for your support to the website!

If you think this article is helpful to you, you are welcome to reprint it, please indicate the source, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.