| Guide | Openresty through the aggregation of a variety of well-designed nginx modules (mainly by the Openresty team independently developed), so that Nginx effectively into a powerful common WEB application platform. In this way, web developers and system engineers can use the Lua scripting language to mobilize the various C and LUA modules supported by Nginx to quickly construct high-performance WEB applications capable of concurrent connections of 10K and even more than 1000K |
This article describes the use of openresty to achieve anti-CC attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart for anti-CC attacks.
According to the flowchart, we know that anti-CC attacks mainly include two parts, one is to limit the request speed, and the other is to send the user JS jump code to verify whether the request is legitimate.
Rhel/centos:
Yum Install Readline-devel pcre-devel openssl-devel
Ubuntu:
Luajit InstallationApt-get Install Libreadline-dev libncurses5-dev libpcre3-dev Libssl-dev perl
openresty Installationcd/tmp/ git clone http://luajit.org/git/luajit-2.0.git cd luajit-2.0/make && make install LN-SF Luajit-2.0.0-beta10/usr/local/bin/luajit ln-sf/usr/local/lib/libluajit-5.1.so.2/usr/lib/
nginx ConfigurationCd/tmp wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz tar xzf ngx_ openresty-1.2.4.13.tar.gz cd ngx_openresty-1.2.4.13/ ./configure--prefix=/usr/local/openresty-- With-luajit make && make install
Nginx.conf:
http{ [...] Lua_shared_dict limit 10m; Lua_shared_dict jsjump 10m; server { #lua_code_cache off; Listen ; server_name www.centos.bz; Location/{ default_type text/html; Content_by_lua_file "/usr/local/openresty/nginx/conf/lua"; } Location @cc { internal; root html; Index index.html index.htm;}}} /usr/local/openresty/nginx/conf/lua file:
Local IP = ngx.var.binary_remote_addr local limit = Ngx.shared.limit local Req,_=limit:get (IP) if req then If req > then Ngx.exit (503) Else LIMIT:INCR (ip,1) End Else Limit:set (ip,1,10) End local jsjump = Ngx.shared.jsjump local URI = Ngx.var.reques T_uri local Jspara,flags=jsjump:get (IP) Local args = Ngx.req.get_uri_args () If Jspara then if Flags then Ngx.exec ("@cc") Else local p_jskey= "if args[" Jskey "] and type (arg s["Jskey"]) = = ' table ' then p_jskey=args[' Jskey '][table.getn (args["Jskey"]) else p_jskey=args["Jskey"] End If P_jskey and p_jskey==tostring ( Jspara) then Jsjump:set (ip,jspara,3600,1) ngx.exec ("@cc") Else Local url= ' If Ngx.var.args then Url=ngx.var.scheme ..":/ /".. Ngx.var.host. URI: " &jskey= ". Jspara Else Url=ngx.var.scheme ... ":/ /".. Ngx.var.host. URI: "? Jskey= ". Jspara End local jscode= "window.location.href=". URL: "';" Ngx.say (Jscode) end end Else Math.randomseed (Os.time ()); Local Random=math.random (100000,999999) jsjump:set (ip,random,60) Local url= ' if Ngx.var.args then Url=ngx.var.scheme. ":/ /".. Ngx.var.host. URI: " &jskey= ". Random Else Url=ngx.var.scheme ... ":/ /".. Ngx.var.host. URI: "? Jskey= ". Random End local jscode= "window.location.href=". URL: "';" Ngx.say (Jscode) End
The LUA Code section explains:
1, 1-12 line is the speed limit function implementation, the 5th and 10th lines indicate that 10 seconds of content can only request 20 times.
2, 14-48 lines is the validation section, 24 rows of 3600 means that after the validation pass, the white list time is 3,600 seconds, that is, 1 hours.
update:2013.5.26
1. Fixed js infinite jump bug
2. Increase random seeds
Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/
Openresty (nginx extension) for anti-CC attacks
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
