Openresty (nginx extension) for anti-CC attacks
Guide |
Openresty through the aggregation of a variety of well-designed nginx modules (mainly by the Openresty team independently developed), so that Nginx effectively into a powerful common WEB application platform. In this way, web developers and system engineers can use the Lua scripting language to mobilize the various C and LUA modules supported by Nginx to quickly construct high-performance WEB applications capable of concurrent connections of 10K and even more than 1000K |
Flowchart
This article describes the use of openresty to achieve anti-CC attacks. Openresty official website http://openresty.org/cn/index.html. The following is a flowchart for anti-CC attacks.
According to the flowchart, we know that anti-CC attacks mainly include two parts, one is to limit the request speed, and the other is to send the user JS jump code to verify whether the request is legitimate.
Installation Dependencies
Rhel/centos:
Yum Install Readline-devel pcre-devel openssl-devel
Ubuntu:
Apt-get Install Libreadline-dev libncurses5-dev libpcre3-dev Libssl-dev perl
Luajit Installation
cd/tmp/ git clone http://luajit.org/git/luajit-2.0.git cd luajit-2.0/make && make install LN-SF Luajit-2.0.0-beta10/usr/local/bin/luajit ln-sf/usr/local/lib/libluajit-5.1.so.2/usr/lib/
openresty Installation
Cd/tmp wget http://agentzh.org/misc/nginx/ngx_openresty-1.2.4.13.tar.gz tar xzf ngx_ openresty-1.2.4.13.tar.gz cd ngx_openresty-1.2.4.13/ ./configure--prefix=/usr/local/openresty-- With-luajit make && make install
nginx Configuration
Nginx.conf:
http{ [...] Lua_shared_dict limit 10m; Lua_shared_dict jsjump 10m; server { #lua_code_cache off; Listen ; server_name www.centos.bz; Location/{ default_type text/html; Content_by_lua_file "/usr/local/openresty/nginx/conf/lua"; } Location @cc { internal; root html; Index index.html index.htm;}}}
/usr/local/openresty/nginx/conf/lua file:
Local IP = ngx.var.binary_remote_addr local limit = Ngx.shared.limit local Req,_=limit:get (IP) if req then If req > then Ngx.exit (503) Else LIMIT:INCR (ip,1) End Else Limit:set (ip,1,10) End local jsjump = Ngx.shared.jsjump local URI = Ngx.var.reques T_uri local Jspara,flags=jsjump:get (IP) Local args = Ngx.req.get_uri_args () If Jspara then if Flags then Ngx.exec ("@cc") Else local p_jskey= "if args[" Jskey "] and type (arg s["Jskey"]) = = ' table ' then p_jskey=args[' Jskey '][table.getn (args["Jskey"]) else p_jskey=args["Jskey"] End If P_jskey and p_jskey==tostring ( Jspara) then Jsjump:set (ip,jspara,3600,1) ngx.exec ("@cc") Else Local url= ' If Ngx.var.args then Url=ngx.var.scheme ..":/ /".. Ngx.var.host. URI: " &jskey= ". Jspara Else Url=ngx.var.scheme ... ":/ /".. Ngx.var.host. URI: "? Jskey= ". Jspara End local jscode= "window.location.href=". URL: "';" Ngx.say (Jscode) end end Else Math.randomseed (Os.time ()); Local Random=math.random (100000,999999) jsjump:set (ip,random,60) Local url= ' if Ngx.var.args then Url=ngx.var.scheme. ":/ /".. Ngx.var.host. URI: " &jskey= ". Random Else Url=ngx.var.scheme ... ":/ /".. Ngx.var.host. URI: "? Jskey= ". Random End local jscode= "window.location.href=". URL: "';" Ngx.say (Jscode) End
The LUA Code section explains:
1, 1-12 line is the speed limit function implementation, the 5th and 10th lines indicate that 10 seconds of content can only request 20 times.
2, 14-48 lines is the validation section, 24 rows of 3600 means that after the validation pass, the white list time is 3,600 seconds, that is, 1 hours.
update:2013.5.26
1. Fixed js infinite jump bug
2. Increase random seeds
Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/
Openresty (nginx extension) for anti-CC attacks