How to set a limit on the number of accesses of an IP address in a certain period of time is a headache, especially in the face of malicious ddos attacks. Among them, Challenge Collapsar is a type of DDOS (Distributed Denial of Service) and a common website attack method, attackers send a large number of packets to the victim host through proxy servers or bots, causing the other server to run out of resources until the host crashes.
Cc attacks generally use a limited number of ip addresses to frequently send data to servers for attack purposes, nginx can use the HttpLimitReqModul and HttpLimitZoneModule configurations to limit the number of accesses of ip addresses within the same period of time to prevent cc attacks.
HttpLimitReqModul is used to limit the number of connections per unit time. It can be used in combination with the limit_req_zone and limit_req commands. If the number of concurrent connections exceeds the specified value, the system Returns Error 503.
HttpLimitConnModul is used to limit the number of concurrent connections of a single ip address. The limit_zone and limit_conn commands are used.
HttpLimitReqModul instance
Limit the number of connections of the same ip address in a certain period of time
Http {
...
# Define a limit_req_zone named allips to store sessions, with a memory size of 10 MB,
# Use $ binary_remote_addr as the key and limit the average number of requests per second to 20,
#16000 status records can be stored at 1 Mbit/s, and the rete value must be an integer. If a request is limited to two seconds, it can be set to 30r/m.
Limit_req_zone $ binary_remote_addr zone = allips: 10 m rate = 20r/s;
...
Server {
...
Location {
...
# Limit the number of requests per ip address per second to no more than 20, with the number of missing buckets burst being 5
# Brust means that if there are 19 requests in 1st seconds, 2, 3, and 4 seconds, 25 requests in 5th seconds are allowed.
# However, if you have 25 requests in 1st seconds, the next five requests will be restricted and error 503 will be returned.
# Nodelay: If this option is not set, the average rate is strictly used to limit the number of requests,
# That is to say, if you set rate = 120r/m, it is equivalent to allowing only two requests to be processed per second.
Limit_req zone = allips burst = 5 nodelay;
...
}
...
}
...
}
HttpLimitZoneModule instance,
Limit concurrent connections
Limit_zone can only be defined in the http scope, and limit_conn can be defined in the http server location scope.
Http {
...
# Define a limit_zone named one with a memory size of 10 MB to store the session, with $ binary_remote_addr as the key
Limit_zone one $ binary_remote_addr 10 m;
...
Server {
...
Location {
...
Limit_conn one 20; # connection limit
Limit_rate 500 k; # bandwidth limit, for a single connection limit, if an ip address is connected to two, it is 500x2 k
...
}
...
}
...
}
Nginx whitelist settings
The above configuration will limit all ip addresses. Sometimes we do not want to restrict spider search engines or test their own ip addresses,
We can use geo commands to implement specific whitelist ip addresses.
1.
Http {
Geo $ limited {
Default 1;
# Google
64.233.160.0/19 0;
65.52.0.0/14 0;
66.102.0.0/20 0;
66.249.64.0/19 0;
72.14.192.0/18 0;
74.125.0.0/16 0;
209.85.128.0/17 0;
216.239.32.0/19 0;
# M $
64.4.0.0/18 0;
157.60.0.0/16 0;
157.54.0.0/15 0;
157.56.0.0/14 0;
207.46.0.0/16 0;
207.68.192.0/20 0;
207.68.128.0/18 0;
# Yahoo
8.12.144.0/24 0;
66.196.64.0/18 0;
66.228.160.0/19 0;
67.195.0.0/16 0;
74.6.0.0/16 0;
68.142.192.0/18 0;
72.30.0.0/16 0;
209.191.64.0/18 0;
# My IPs
127.0.0.1/32 0;
123.456.0.0/28 0; # example for your server CIDR
}
The geo command defines a whitelist variable $ limited. The default value is 1. If the client ip address is in the preceding range, the value of $ limited is 0.
2. Use the map command to map the ip address of the search engine client to an empty string. If it is not a search engine, the real ip address is displayed. In this way, it cannot be stored in the limit_req_zone memory session.
Map $ limited $ limit {
1 $ binary_remote_addr;
0 "";
}
3. Set limit_req_zone and limit_req.
Limit_req_zone $ limit zone = foo: 1 m rate = 10r/m;
Limit_req zone = foo burst = 5;
Detailed source reference: http://www.nginx.cn/446.html