Configure Nginx server methods to prevent flood attacks _nginx

Test

I'll simply tell you how to configure Nginx's restricted request module and how it protects your site from attacks against DDoS or other HTTP based denial of service attacks.

In this test, I put the sample page in the Blitz.io (now a free service) named About.html, which is used to test limit_req instructions.

First, I use the following instructions on the Blitz to initiate 1075 concurrent requests and continue for a minute, the response timeout is set to 2 minutes, the region is California, and all States other than state 200 are set to be abnormal, or even 503 are considered unsuccessful.

-P 1-1075:60--status 200-t 2000-r California http://kbeezie.com/about.html

It's not bad, right? But if this is a PHP document. It is likely that a user will cause the PHP process to be 502/504 states, causing the server to crash or not respond. Especially if you use a VPS or other inexpensive server without any protection, the failure rate will be higher. (original advertisement, here shielding)

Of course, you can use caching or other tools to improve server performance and responsiveness, such as you use wordpress you are sure to use the WordPress caching plugin. Da for those type of people we can use the Limit request module.

In Nginx we create a zone HTTP {}, I call him Blitz set 5 requests per second, the maximum number of data to accommodate 10MB. I use $BINARY_REMOTE_ADDR as the session variable to make you more than the $remote_ Addr's normal visitors can access more than 10MB of space.

Copy Code code as follows:

Limit_req_zone $binary _remote_addr zone=blitz:10m rate=5r/s;

The rules are defined on the server:

Copy Code code as follows:

Location =/about.html {
Limit_req Zone=blitz Nodelay;
}

Then reload the Nginx configuration and look at the effect:

You will find that now more than 285 people can access to the server, 4.75 requests per second, no more than 5 times per second we set, check the log you will find that no access to the request is HTTP 503, access to the HTTP 200.

Using this setting is helpful for trying to restrict area access, and it can also be applied to all PHP requests.

PHP Application Request Restrictions

If you want to limit all PHP application restrictions, you can do this:

Copy Code code as follows:

Location ~ \.php {
Limit_req Zone=flood;
Include php_params.conf;
Fastcgi_pass Unix:/tmp/php5-fpm.sock;
}

It can help you with something. Set items like acceleration or deceleration to respond to sudden or no latency requirements. Configuration item details, Bash here: Httplimitreqmodule.
Note:

You may notice that the chart above has tested 1075 user requests, which is misleading because all access requests are from the same IP (50.18.0.223) that is located in California.

It's hard for me to achieve a real high traffic network or DDoS (distributed Denial-of-service Attack). That's why the number of successful users we visit is not very large with IP. The server load also affects the number of visits or regions of the test user. With the free version, you can access up to 50 users with the maximum number of concurrent accesses. Of course you can spend a day $49 to get 1000 users to visit your site.

If you have enough memory and bandwidth, it is easy to test with a single IP address. Use this tool to achieve: high concurrency, AB, openload and so on. It's just a terminal interface with no UI.

Of course you have to test yourself and remember to use the status flag because Blitz will respond to the access request in about 5 seconds.

A better alternative

There's no further detail here, and if you're serious about blocking DDoS or multi-service attack against your server, there are other great software tools like Iptables (Linux), PF (packet filter for BSD), or your suit You can use your hardware firewall if you provide hardware. The above limiting module will only prevent flood attacks through HTTP requests, it will not prevent ping packet flood attacks or other vulnerabilities, for which you can turn off unwanted services and unwanted ports to prevent others from breaking through.

For example, my server has only Http/https and SSH ports exposed to the external network. The bindings of these services like MySQL are connected to the final. You can also set some generic services to a less-commonly used port so that the sniffer (IPTABLES/PF will help).