How to set a limit on the number of times a certain IP access is a headache, especially in the face of malicious DDoS attacks. Where the CC attack (Challenge Collapsar) is a DDoS (distributed denial of service) of a kind, but also a common site attack method, the attacker through a proxy server or broiler to the victim host Non-stop to send a large number of packets, resulting in the other server resources exhausted, until the downtime crashes.
CC attacks generally use a limited number of IP to send data to the server frequently to achieve the purpose of the attack, Nginx can be Httplimitreqmodul and httplimitzonemodule configuration to limit the number of IP access to the same time period to prevent CC attacks.
Httplimitreqmodul is used to limit the number of connections within a unit of time, using Limit_req_zone and limit_req instructions to meet the limit. Once a concurrent connection exceeds the specified number, a 503 error is returned.
Httplimitconnmodul is used to limit the number of concurrent connections for a single IP, using Limit_zone and Limit_conn directives
Httplimitreqmodul instance
Limit the number of identical IP connections within a time period
http{
...
#定义一个名为allips的limit_req_zone用来存储session, the size is 10M memory,
#以 $binary _remote_addr as key, limit the average of 20 requests per second,
#1M能存储16000个状态, the value of Rete must be an integer, and if a request is limited to two seconds, it can be set to 30r/m
Limit_req_zone $binary _remote_addr zone=allips:10m rate=20r/s;
...
server{
...
Location {
...
#限制每ip每秒不超过20个请求, the number of leaky barrels burst to 5
#brust的意思就是, if the 1th and 2,3,4 seconds requests are 19, the 5 second request is allowed.
#但是如果你第1秒就25个请求后面的5个请求就会被限制, return 503 error.
#nodelay, if you do not set this option, strictly use the average rate limit request number,
#也就是说如果你设置rate =120r/m, equivalent to processing 2 requests per second
Limit_req zone=allips burst=5 Nodelay;
...
}
...
}
...
}
Httplimitzonemodule instance,
Limit number of concurrent connections
Limit_zone can only be defined in the HTTP scope, Limit_conn may be defined in the HTTP server location scope
http{
...
#定义一个名为one的limit_zone, size 10M memory to store session, with $BINARY_REMOTE_ADDR as key
Limit_zone one $binary _remote_addr 10m;
...
server{
...
Location {
...
Limit_conn one 20; #连接数限制
Limit_rate 500k; #带宽限制, for a single connection limit, if an IP two connection, is 500x2k
...
}
...
}
...
}
Nginx White list setting
The above configuration will limit all the IP, sometimes we do not want to search engine spiders or test their own IP restrictions,
For a specific whitelist IP we can use the GEO directive to implement it.
1.
http{
Geo $limited {
Default 1;
#google
64.233.160.0/19 0;
65.52.0.0/14 0;
66.102.0.0/20 0;
66.249.64.0/19 0;
72.14.192.0/18 0;
74.125.0.0/16 0;
209.85.128.0/17 0;
216.239.32.0/19 0;
#M $
64.4.0.0/18 0;
157.60.0.0/16 0;
157.54.0.0/15 0;
157.56.0.0/14 0;
207.46.0.0/16 0;
207.68.192.0/20 0;
207.68.128.0/18 0;
#yahoo
8.12.144.0/24 0;
66.196.64.0/18 0;
66.228.160.0/19 0;
67.195.0.0/16 0;
74.6.0.0/16 0;
68.142.192.0/18 0;
72.30.0.0/16 0;
209.191.64.0/18 0;
#My IPs
127.0.0.1/32 0;
123.456.0.0/28 0; #example for your server CIDR
}
The GEO directive defines a whitelist $limited variable with a default value of 1, and if the client IP is in the range above, the value of the $limited is 0
2. Use map instructions to map the search engine client IP is empty string, if not the search engine on the display itself is really IP, so you can not save to the Limit_req_zone memory session
Map $limited $limit {
1 $binary _remote_addr;
0 "";
}
3. Set up Limit_req_zone and Limit_req
Limit_req_zone $limit zone=foo:1m rate=10r/m;
Limit_req Zone=foo burst=5;