Nginx Connection Restriction New syntax

How to set the number of accesses that can limit an IP time period is a headache, especially in the face of malicious DDoS attacks. Among them, the CC attack (Challenge Collapsar) is a DDoS (distributed denial of service), and is a common site attack method, the attacker through the proxy server or broiler to the victim host constantly send a large number of packets, causing the other server resources exhausted, until the outage crashes.

CC attacks are generally the use of a limited number of IP to the server to send data frequently to achieve the purpose of attack, Nginx can be configured by Httplimitreqmodul and httplimitzonemodule to limit the number of IP access to the same period of time to prevent CC attacks.

The Httplimitreqmodul is used to limit the number of connections per unit of time, using Limit_req_zone and limit_req directives to reach the limit. Once the concurrent connection exceeds the specified number, a 503 error is returned.

Httplimitconnmodul used to limit the number of concurrent connections for a single IP, using Limit_zone and Limit_conn directives

The first difference between the two modules is the limit on the number of connections over time, which is the limit on the number of connections at the same time

Httplimitreqmodul limit the number of instances of the same IP access over a period of time

HTTP {

.....

#定义一个名为allips的limit_req_zone用来存储session, the size is 10M of memory,

#以 $binary _remote_addr as key, limiting the average request per second to 1,

#1M能存储16000个状态, the value of Rete must be an integer,

#如果限制两秒钟一个请求, can be set into 60r/m

limit_req_zone $binary _remote_addr zone=allips:10m rate=60r/m;

#limit_conn_zone $binary _remote_addr zone=one:10m;

# # Log Format # # #

Log_format Main ' $remote _addr $host $remote _user [$time _local] "$request" '

' $status $body _bytes_sent "$http _referer" $http _user_agent "" $gzip _ratio ";

server {

Listen 80;

server_name ckl.zab.com;

Location/{

Root/opt/wwwroot/zabbix;

Index index.html index.php index.htm test.php;

}

Location ~ \.php$ {

Root/opt/wwwroot/zabbix;

Fastcgi_pass 127.0.0.1:9000;

Fastcgi_index index.php;

Fastcgi_param script_filename $document _root$fastcgi_script_name;

Include Fastcgi_params;

#限制每ip每秒不超过20个请求, the number of leaky barrels burst 5

#brust的意思就是, if the 1th second, 2,3,4 second request is 19,

#第5秒的请求为25个是被允许的.

#但是如果你第1秒就25个请求, a request that exceeds 20 in the first 2 seconds returns a 503 error.

#nodelay, if you do not set this option, use the average rate limit request number Strictly,

#第1秒25个请求时, 5 requests are placed in the first 2 seconds of execution,

#设置nodelay, 25 requests will be executed in the first 1 seconds.

limit_req zone=allips burst=5 nodelay;

}

}

Test:

/opt/abtmp/usr/bin/ab-n 10-c http://127.0.0.1/test.php

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:10:29 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

Limit one per second, more than 503

Httplimitzonemodule Limit number of concurrent connections instances

Limit_zone can only be defined in the HTTP scope, Limit_conn may be defined at the HTTP server location scope

HTTP {

.....

#定义一个名为one的limit_zone, size 10M memory to store session,

#以 $binary _remote_addr to key

After #nginx 1.18 replaced the limit_conn with Limit_conn_zone

#且只能放在http作用域

limit_conn_zone $binary _remote_addr zone=one:10m;

# # Log Format # # #

Log_format Main ' $remote _addr $host $remote _user [$time _local] "$request" '

' $status $body _bytes_sent "$http _referer" $http _user_agent "" $gzip _ratio ";

server {

Listen 80;

server_name ckl.zab.com;

Location/{

Root/opt/wwwroot/zabbix;

Index index.html index.php index.htm test.php;

}

Location ~ \.php$ {

Root/opt/wwwroot/zabbix;

Fastcgi_pass 127.0.0.1:9000;

Fastcgi_index index.php;

Fastcgi_param script_filename $document _root$fastcgi_script_name;

Include Fastcgi_params;

#连接限制为5

Limit_conn one 5;

#带宽限制, for a single connection limit, if an IP two connection is 500x2k

limit_rate 300k;

}

}

}

Test:

/opt/abtmp/usr/bin/ab-n 10-c http://127.0.0.1/test.php

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0"-"apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

127.0.0.1--[27/dec/2014:23:08:05 +0800] "get/test.php http/1.0" 503 206 "-" "apachebench/2.3"

The limit per second is 5, more than 503

This article is from the "OPS rookie" blog, please be sure to keep this source http://ckl893.blog.51cto.com/8827818/1682248

Nginx Connection Restriction New syntax