Advanced application of LNMP reverse proxy +cc protection

First, LNMP advanced application of the Nginx most simple reverse proxy

Server
{
Listen 80;
server_name vpsmm.com;
Location/{
Proxy_pass http://cache.vpsmm.com/;
Proxy_redirect off;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
}
}

Second, the simplest front-end full cache + Reverse proxy script

Mkdir/home/cache/path-p #新建2个目录, placing cache files
Mkdir/home/cache/temp-p

Modify/usr/local/nginx/conf/nginx.conf Add the following code, mainly cache related settings, please put in http{# #这里}, generally added to the log_format above or below can be:

Client_body_buffer_size 512k;
Proxy_connect_timeout 5;
Proxy_read_timeout 60;
Proxy_send_timeout 5;
Proxy_buffer_size 16k;
Proxy_buffers 4 64k;
Proxy_busy_buffers_size 128k;
Proxy_temp_file_write_size 128k;
Proxy_temp_path/home/cache/temp;
Proxy_cache_path/home/cache/path levels=1:2 keys_zone=cache_one:500m inactive=7d max_size=30g;

#500m是内存占用, 7d is 7 days without access to delete, 30g is cache disk space
The following is a virtual host configuration file that can be saved as. conf placed under Vhost:

Server
{
Listen 80;
server_name vpsmm.com; #主机名
Location/{
Proxy_cache Cache_one;
Proxy_cache_valid 304 3d; #正常状态缓存时间3天
Proxy_cache_key $host $uri$is_args$args;
Proxy_pass http://www.111cn.net/; #反代的网站
Proxy_redirect off;
Proxy_set_header X-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Expires 10d; #默认10天缓存
Access_log/home/wwwlogs/vpsmm.log access; #日志文件
}
}

Click on a few sites, Df-sh command, view the/home/cache directory size, you can test whether the cache succeeded. This script is a front-end full cache, and the front end is not automatically modified after the backend is dynamically updated. Can manually clean the cache directory files. This method can be used in a pure static form to prevent CC, if your dynamic blog, by the CC attack, you can try.

Three, Lnmp simple some of the way to prevent CC

View the generated. log log file to determine the antecedents, direct 30,100 degrees:

if ($http _referer ~* mi5.gov) {
Rewrite ^ (. *) $ http://www.111cn.net/permanent;
}

View the generated. log log file, determine the browser signature, direct 30,100 degrees:

if ($http _user_agent ~* firefox4.0) {
Rewrite ^ (. *) $ http://www.baidu.com/permanent;
}

According to the signature, locate the. log file directly and iptables the corresponding IP:

Cat Com.log | grep ' mozilla/5.0 ' | awk ' {print ' iptables-i input-p tcp--dport 80-s ', $, '-j DROP '} ' | Sort-n | Uniq | Sh
if ($http _user_agent ~* 142.54.161.3) {rewrite ^ (. *) $ http://www.111cn.net/permanent;}