Nginx server restricts IP access to all scenarios _nginx

Source: Internet
Author: User
Tags nginx server

Limit the number of accesses to an IP for the same time period

How to set a limit on the number of times a certain IP access is a headache, especially in the face of malicious DDoS attacks. Where the CC attack (Challenge Collapsar) is a DDoS (distributed denial of service) of a kind, but also a common site attack method, the attacker through a proxy server or broiler to the victim host Non-stop to send a large number of packets, resulting in the other server resources exhausted, until the downtime crashes.

CC attacks generally use a limited number of IP to send data to the server frequently to achieve the purpose of the attack, Nginx can be Httplimitreqmodul and httplimitzonemodule configuration to limit the number of IP access to the same time period to prevent CC attacks.

Httplimitreqmodul is used to limit the number of connections within a unit of time, using Limit_req_zone and limit_req instructions to meet the limit. Once a concurrent connection exceeds the specified number, a 503 error is returned.

Httplimitconnmodul is used to limit the number of concurrent connections for a single IP, using Limit_zone and Limit_conn directives

The difference between these two modules is the limit on the number of connections over a period of time, which is the limit of the number of connections at the same time

Httplimitreqmodul limit the number of instances of the same IP access over a period of time

http{...
  #定义一个名为allips的limit_req_zone用来存储session, the size is 10M memory,
  #以 $binary _remote_addr as key, the average limit of 20 requests per second,
  # 1M can store 16,000 states, the value of Rete must be an integer,
  #如果限制两秒钟一个请求, can be set to 30r/m
  limit_req_zone $binary _remote_addr zone=allips:10m rate=20r/s;
  ...
  server{...
    Location {
      ...
      .. #限制每ip每秒不超过20个请求, the number of leaky barrels burst is 5
      #brust的意思就是, if the 1th second, 2,3,4 second request for 19,
      #第5秒的请求为25个是被允许的.
      #但是如果你第1秒就25个请求, a request exceeding 20 in 2 seconds returns 503 errors.
      #nodelay, if this option is not set, the average rate limit request is strictly used,
      #第1秒25个请求时, 5 requests are put into 2 seconds,
      #设置nodelay, 25 requests are executed in 1 seconds.
      limit_req zone=allips burst=5 nodelay;
      ...
    }
    ...
  }
  ...
}

Httplimitzonemodule Limit Concurrent Connection number instances

Limit_zone can only be defined in the HTTP scope, Limit_conn may be defined in the HTTP server location scope

http{...
  #定义一个名为one的limit_zone, size 10M memory to store session,
  #以 $binary _remote_addr for key
  #nginx after 1.18 with Limit_conn_ Zone replaced the Limit_conn
  #且只能放在http作用域
  limit_conn_zone one  $binary _remote_addr 10m;
  ...
  server{...
    Location {
      ...
      .. Limit_conn one;     #连接数限制
      #带宽限制, the limit of a single connection, if an IP two connection, is 500x2k
      limit_rate 500k;     
      ...
    }
    ...
  }
  ...
}


Server Globally Limited IP

#vi nginx.conf
  allow 10.57.22.172;
  Deny all;


Specify IP access restrictions for the directory

Achieve focus

The use of () and | In regular Expressions () represents a principle that | represents or
Nginx's location matching rule, there is a regular match in file Order (PS: You can place the directory you want to match at the beginning of the server module)
Use of allow and deny


Example
Directory structure

root directory/srv/
test1/--  hello.php
test2/  --hello.php test3/  --
hello.php test4/  --  {hello.php,1.php,2.php}

Access requirements
For the Test1,test2 directory, only the specified 192.168.1.101IP address access is allowed, and other IP access is prohibited
For other directory PHP programs, all IP addresses can be accessed

Implementation of the Nginx configuration file

  #指定目录实行白名单访问机制 
  Location ~ ^/(test1|test2)/{ 
    allow 192.168.1.101; 
    Deny all; 
   
    root/srv/;  
    Fastcgi_param  HTTPS on  ; 
      Include/etc/nginx/fastcgi_params;  
      Fastcgi_pass  php5_fpm; 
  } 
   
    # Proxy The PHP scripts to fpm 
    location ~ \.php$ { 
    root/srv/;  
    Fastcgi_param  HTTPS on  ; 
      Include/etc/nginx/fastcgi_params;  
      Fastcgi_pass  php5_fpm; 
    } 

Precautions:
1. Deny must add an IP, or jump directly to 403, not down execution; if the 403 default page is the same domain name, it will cause a dead loop access;
2. IP segment of allow
From small to large array of permitted access, such as 127.0.0.0/24 below can be 10.10.0.0/16
24 represents subnet Mask: 255.255.255.0
16 represents subnet Mask: 255.255.0.0
8 represents subnet Mask: 255.0.0.0
3. Deny all; The end indicates that except for the allow above,
Such as:

Copy Code code as follows:
Deny 192.168.1.1;           Allow 127.0.0.0/24;           Allo w 192.168.0.0/16;           Allow 10.10.0.0/16; Deny all;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.