Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to configure the Nginx server to prevent Flood attacks", the content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to configure the Nginx server to prevent Flood attacks" can help you solve your doubts.

test

I will simply show you how to configure nginx's limit request module and how it protects your website from attacks such as ddos or other http-based denial of service attacks.

In this test, I named the sample page about.html in blitz.io (now a free service) to test the limit_req instruction.

First of all, I used the following instruction on blitz to initiate 1075 concurrent requests that lasted for one minute, set the response timeout to 2 minutes, set the area to California, and set all other states except state 200to be abnormal, even 503was considered unsuccessful.

-p 1-1075 california 60-- status 200-t 2000-r california

It's not bad, isn't it? But if this is an php document. It is likely that a user will cause the 502 server to crash or become unresponsive to the php process. Especially if you use vps or other cheap servers without any protection, the failure rate will be even higher. (original advertisement, blocked here)

Of course, you can use caching or other tools to improve server performance and responsiveness, such as if you use wordpress, you are sure to use wordpress caching plugin. Da for those type of people we can use the limit request module.

In nginx, we create an area http {}, which I call blitz to set 5 requests per second, with a maximum capacity of 10mb. I use $binary_remote_addr as the session variable so that you can access a space larger than 10mb than a normal visitor to $remote_addr.

The copy code is as follows:

Limit_req_zone $binary_remote_addr zone=blitz:10m rate=5r/s

Then Zhou defines these rules in the server:

The copy code is as follows:

Location = / about.html {

Limit_req zone=blitz nodelay

}

Then reload the nginx configuration to see the effect:

You will find that now only 285 people can access the server, and the number of requests per second is 4.75, which is no more than the 5 requests per second we have set. Check the log and you will find that all the requests that have not been accessed are http 503s and the requests that have not been accessed are all http 200s.

Using this setting is helpful if you want to restrict regional access, and it can also be applied to all php requests.

Php application request limit

If you want to limit all php application restrictions, you can do this:

The copy code is as follows:

Location ~\ .php {

Limit_req zone=flood

Include php_params.conf

Fastcgi_pass unix:/tmp/php5-fpm.sock

}

It can help you set items such as acceleration or deceleration to cope with sudden or non-delay needs. For details of configuration items, click here: httplimitreqmodule.

Note:

You may notice that the chart above tests 1075 user requests, which is misleading because all access requests come from the same ip (50.18.0.223) in California.

It is difficult for me to implement a real high-traffic network or ddos (distributed denial of service attack). This is why the number of successful users we visit is not very large with ip. The server load can also affect the number of visits or regions of the test users. The maximum number of users you can access concurrently with the free version is 50. Of course you can get 1000 users to visit your site for $49 a day.

If you have enough memory and bandwidth, it is easy to test with a single IP address. You can use this tool to achieve: high concurrency, ab, openload and so on. Only in the terminal interface, there is no ui.

Of course, you have to test it yourself, remember to use status flag, because blitz will respond to access requests in about 5 seconds.

A better alternative

I won't go into any more details here. If you are serious about preventing ddos or multi-service attack from attacking your server, and there are other great software tools like iptables (linux), pf (packet filter for bsd), or if your server provides hardware, you can use your hardware firewall. The above restriction module will only prevent flood attacks through http requests, it will not prevent ping packet flood attacks or other vulnerabilities, for which you can close unwanted services and ports to prevent others from breaking through.

For example, the only ports my server exposes on the extranet are http/https and ssh. Bind local connections to services like mysql. You can also set some general-purpose services to less commonly used ports so that they are not sniffed (iptables/pf will help in this case).

After reading this, the article "how to configure the Nginx server to prevent Flood attacks" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself to understand it. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.