Nginx speed limit can defend against CC and DDOS attacks.

Source: Internet
Author: User

Nginx is a good web server and provides a comprehensive speed limit function. The main functional modules are ngx_http_core_module, ngx_http_limit_conn_module, and ngx_http_limit_req_module. The first module includes the limit_rate function (limited bandwidth ), in the latter two modules, the functions are limit connection and limit request. These modules are compiled into the nginx core by default.

All restrictions are aimed at IP addresses, so they have a certain defensive effect on CC and DDOS.

Bandwidth limit is easy to understand.

123 location /mp3 { limit_rate 200k; }

There is one way to make the speed limit more humane, that is, the speed limit starts after a certain amount of traffic is transmitted,

For example, first transmit 1 M at full speed and then start the speed limit:

1234 location /photo { limit_rate_after 1m; limit_rate 100k; }

Next we will talk about the limited number of concurrent requests and the number of requests.

Why are there two modules? Because we know that a page usually has multiple sub-modules, such as five images, we initiate a connection when requesting this page, but this connection contains five image requests, that is to say, a connection can initiate multiple requests. To maintain the user experience, we need to select whether to limit the number of connections or the number of requests based on actual needs.

1. Limit the number of connections

To restrict connections, you must first have a container that counts connections and add the following code to the http segment:

1 limit_conn_zone $binary_remote_addr zone=addr:5m;

In this way, a speed limit pool named addr is created in the memory (each connection occupies 32 or 64 bytes, and the size of 5 MB can accommodate tens of thousands of connections, which is usually enough, if 5 MB of memory is used up, 503 is returned)

Next, we need to limit the speed of different locations (location segments) of the server. For example, to limit the number of concurrent connections of each IP address to 2

1 limit_conn addr 2;

2. Limit the number of requests

To limit the number of requests, you must first create a speed limit pool and add the following code to the http segment:

1 limit_req_zone $binary_remote_addr zone=one:5m;

The speed limit is divided into global speed limit and local speed limit,

For the global speed limit, we only need to add the following parameters, for example, 20 requests per second, rate = 20r/s, that is:

1 limit_req_zone $binary_remote_addr zone=perip:5m rate=20r /s ;

Sometimes we want to adjust the link in the location segment, you can use the burst Parameter

1 limit_req zone=one burst=50;

If you do not want latency, there is also the nodelay Parameter

1 limit_req zone=one burst=50 nodelay;

The above is the nginx Speed Limit Function introduction, improper, please correct me. The specific speed limit method should be considered to avoid damaging the user experience.

References

Http://wiki.nginx.org/HttpCoreModule#limit_rate

Http://nginx.org/cn/docs/http/ngx_http_limit_req_module.html

Http://nginx.org/cn/docs/http/ngx_http_limit_conn_module.html

Http://wiki.nginx.org/HttpLimitConnModule

Http://wiki.nginx.org/HttpLimitReqModule

Http://tengine.taobao.org/nginx_docs/cn/docs/http/ngx_http_limit_conn_module.html#limit_zone

This article from the "Focus on Linux O & M" blog, please be sure to keep this source http://purplegrape.blog.51cto.com/1330104/1228527

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.