Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to configure Nginx defense against DDOS attacks". In daily operation, I believe many people have doubts about how to configure Nginx defense against DDOS attacks. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "how to configure Nginx defense DDOS attacks". Next, please follow the editor to study!

Here is the configuration method:

one。 Limit the number of requests per second

The ngx_http_limit_req_module module uses the leaky bucket principle to limit the number of requests per unit time. Once the number of requests per unit time exceeds the limit, it will return a 503 error. The configuration needs to be set in two places:

Trigger conditions are defined in the http section of nginx.conf, which can have multiple conditions.

Define the actions to be performed by nginx when the trigger condition is reached within the location

For example:

Http {limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; / / trigger condition, all access ip is limited to 10 requests per second. Server {... The action performed by location ~\ .php$ {limit_req zone=one burst=5 nodelay; / /, corresponding to} by zone name.

Parameter description:

$binary_remote_addr binary remote address

Zone=one:10m defines the zone as one, and allocates 10m memory for this zone to store sessions (binary remote addresses). 1m memory can hold 16000 sessions.

Rate=10r/s; limits the frequency to 10 requests per second.

Burst=5 allows no more than 5 requests exceeding the frequency limit. Assuming 9 requests per second in 1, 2, 3 and 4 seconds, 15 requests in 5 seconds are allowed. On the contrary, if 15 requests are requested in the first second, 5 requests will be placed in the second second, and requests exceeding 10 in the second second will be directly 503, which is similar to the aPCge rate limit in multiple seconds.

Requests exceeding nodelay are not delayed, and 15 requests are processed within 1 second after setting.

two。 Limit the number of ip connections

The configuration method and parameters of ngx_http_limit_conn_module are very similar to those of http_limit_req module, with fewer parameters and much simpler.

Http {limit_conn_zone $binary_remote_addr zone=addr:10m; / / trigger condition. Server {... Location / download/ {limit_conn addr 1; / / limit 1 connection at the same time. Excess connection returns 503}

three。 Whitelist setting

Http_limit_conn and http_limit_req modules limit the number of concurrency and requests per unit time of a single ip. However, if there is a load balancer or reverse proxy such as lvs or haproxy in front of the nginx, nginx obtains connections or requests from the load balancer. In this case, you should not limit the connections and requests of the load balancer. You need to set a whitelist for the geo and map modules:

Geo $whiteiplist {default 1; 10.11.15.161 0;} map $whiteiplist $limit {1 $binary_remote_addr; 0 ";} limit_req_zone $limit zone=one:10m rate=10r/s;limit_conn_zone $limit zone=addr:10m

The geo module defines a variable whiteiplist with a default value of 1. When ip is in the whitelist, the value of the variable whiteiplist is 0, and vice versa.

If you are in the whitelist-- > whiteiplist=0-- > $limit= ""-- > will not be stored in 10m session state (one or addr)-- > unrestricted

Conversely, not on the whitelist-- > whiteiplist=1-- > $limit= binary remote address-- > stored in 10m session state-- > restricted

four。 test

Using the ab command to simulate cc attacks, the http_limit_conn and http_limit_req modules are tested separately, and note that the http_limit_conn module only counts the connections of requests being processed (the header information of these requests has been fully read). If the request has been processed and the connection is not closed, it will not be counted. At this point, use netstat to see that the number of connections can exceed the limit and will not be blocked.

Number of ab-n requests-c concurrent http://10.11.15.174/i.php

If blocked, the foreground will return 503, and the following error log will be seen in the error_log of nginx:

Limited number of connections:

14:20:26 on 2015-01-28 [error] 4107: * 65525 limiting connections by zone "addr", client: 10.11.15.161, server:, request: "get / i.php?=phpe9568f35-d428-11d2-a769-00aa001acf42 http/1.1", host: "10.11.15.174", referrer: "http://10.11.15.174/i.php"

Number of restricted requests:

14:18:59 on 2015-01-28 [error] 4095: 0: * 65240 limiting requests, excess: 5.772 by zone "one", client: 10.11.15.161, server:, request: "get / i.php?=phpe9568f34-d428-11d2-a769-00aa001acf42 http/1.1", host: "10.11.15.174", referrer: ""

five。 Some other ways to prevent cc

1.nginx module modsecurity, http_guard, ngx_lua_waf

Modsecurity application layer waf is powerful, can defend against many attacks, and its configuration is complex.

Ngx_lua_waf ngx_lua-based web application firewall, easy to use, high performance and lightweight

Http_guard is based on openresty

two。 Software + iptables

Fail2ban determines whether to use iptables intercept by analyzing the log

Ddos deflate determines the number of ip connections through netstat and uses iptables masking

At the beginning, it was said that anti-ddos is a systematic project. By optimizing the system and software configuration, it can only defend against small-scale cc attacks. For large-scale attacks, layer-4 traffic attacks, and hybrid attacks, basically, the bandwidth is full when the system and application software are not down. Here are some ways to defend against ddos that I have used in my work:

1. High defense server and isp with traffic cleaning

Usually servers from the United States and South Korea, some backbone isp suppliers have traffic cleaning services, such as pccw in Hong Kong. It can usually defend against small attacks of about 10g.

2. Traffic cleaning services such as akamai (prolexic), nexusguard We have been attacked by 80g traffic at most and have been cleaned successfully, but the cost is very high.

3. Cdn for example: blue News Network destination cloudflare

According to the distributed characteristics of ddos, cdn distributes the traffic and accelerates the website at the same time, the effect is good and the cost is relatively low.

At this point, the study on "how to configure Nginx defense DDOS attacks" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.